How Lapsus$ Data Leak May Affect Nvidia and Its CustomersRansomware Group Says It Has Published Nvidia Source Codes, GPU Drivers
Days after Nvidia's reported cyberattack, the Lapsus$ ransomware group says it has released a portion of the highly confidential stolen data, comprising source codes, GPU drivers and documentation on Nvidia's fast logic controller product, also known as Falcon and Lite Hash Rate or LHR GPU (see: Chipmaker Nvidia Investigating Potential Cyberattack).
The Falcon series comprises proprietary embedded micro-controllers for Nvidia GPUs. The LHR GPU is designed to restrict cryptomining without compromising gaming performance.
The threat actor, on its Telegram channel on Monday, shared the download link to an 18GB data dump, which it said contains the stolen confidential data. The total stolen data is said to be about 1TB.
As proof of the exploit, the threat group posted a screenshot from Visual Studio integrated development environment showing proprietary source code used by Nvidia.
A prominent threat researcher, who requested anonymity due to the ongoing investigation, tells ISMG that his assessment confirms Lapsus$ group's claim to have access to valuable proprietary data from Nvidia.
Based on the snapshot of code Lapsus$ shared on its Telegram channel, he tells ISMG that the data shared is a small part of the source code of NVDEC, which is used by Nvidia drivers to encode video in graphics cards. "This indicates that the attackers were able to exfiltrate highly sensitive data," the researcher says.
On Saturday, the Lapsus$ group said that Nvidia tried to hack it in a counteroffensive, but was unable to achieve its objective as the hackers had taken backups of all the stolen data.
A threat intelligence and threat research specialist who goes by the name CyberKnow said on Twitter that the fact that Nvidia hacked the group back suggests that the stolen data is valuable.
The group, on its Telegram channel, says it maintained persistence for a week before procuring admin rights in several of the company's systems.
In addition to source codes, it claims that it has stolen 1TB of data, including schematics, drivers and firmware and SDKs.
The Lapsus$ group says that it is still waiting to hear from Nvidia.
Nvidia: 'No Evidence of Ransomware Attack'
A Nvidia spokesperson tells ISMG that on Feb. 23 the company became aware of a cybersecurity incident that affected its IT resources. "Shortly after discovering the incident, we hardened our network, engaged cybersecurity incident response experts, and notified law enforcement," the spokesperson says.
As the incident occurred almost in sync with Russia's attack on Ukraine, there was speculation on whether the cyberattack on Nvidia was politically motivated.
The company says that it has no evidence of ransomware being deployed in the Nvidia environment or that the incident is related to the Russia-Ukraine conflict.
"We are, however, aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information," says the Nvidia spokesperson.
The company says it does not anticipate any disruption to its business or its ability to serve customers as a result of the incident.
Implications of Data Breach
Commenting on the incident, Ahmed Sharaf, CTO and co-founder of Massachusetts-based cybersecurity firm Xband Enterprises, tells ISMG that if a company the size of Nvidia can be attacked so readily, it becomes quite clear that small and medium-sized businesses do not have the people and cybersecurity prowess to remediate such events rapidly.
"Simply stated, they are outmanned and outgunned to address such challenges and cyberattacks," he says.
In its previous data leak, Lapsus$ operators had released an 8.2MB file containing plain-text passwords belonging to 21,897 Nvidia resources.
Underlining the importance of compromised employee credentials, Jay Hira, a cybersecurity strategist associated with Sydney-based non-for-profit organization MakeCyberSimple, tells ISMG that leaked passwords of employees are "equally, if not more damaging, than other forms of compromised data."
He says incidents such as this are not only an indicator of the maturity of cyber hygiene practices, they could also very well lead to a compromise of customer data depending on the authentication and authorization practices, including the strength of the "multifactor authentication strategy and capabilities and if there is a process of leveraging contextual information in the form of user identity, role, device, network, location, user risk indicator, etc., at the time of determining whether to enforce a more robust authentication mechanism."
There is also a chance that Lapsus$ group's malware targeted at Nvidia might slip into the firm's software and GPUs. In August 2021, Bleeping Computer reported how cybercriminals could execute attacks with malware that execute code from the GPU of a compromised system.
Lapsus$ operators are also offering to sell LHR bypass - firmware that is capable of overcoming Nvidia's built-in restrictions to limit cryptomining.
Few Takers for Stolen Data
Although the experts ISMG spoke with agree that the compromised data is of great value to Nvidia, their views are divided on the ransomware group's intention to sell stolen proprietary data.
Chester Wisniewski, principal research scientist at British cybersecurity firm Sophos, says no one "would taint their products or research with stolen information."
RE: Nvidia hackers: What's amazing is how valuable they think the data is. Who is going to use this data? AMD? As if they would taint their products or research with stolen information. It's useless. Just like every other ransomware/extortion attempt. Fools.— Chester Wisniewski (@chetwisniewski) February 28, 2022
CyberKnow says that from what he knows, the Lapsus$ group doesn't sell data. "Lapsus$ is about extortion - they want to get a payment from the owners." He also says the stolen data is "probably not going to be highly valuable."
And a threat researcher who goes by the name Clandestine offers a different perspective, saying that on the dark web one can always find source code for paid software. He says the great demand for stolen source codes is driving more data leak incidents and that Nvidia's competitors "could develop other code based on the original."
For companies that use Nvidia hardware, Sharaf advises: "Do not update or patch your software until a formal announcement from Nvidia that their software and tool and chains have not been affected. Never trust, always verify."
Using an updated privileged user list, Sharaf says the company must start monitoring those accounts immediately.
"Passwords should be salted and hashed, perhaps even peppered, but never stored in plain text. If this was done, reset these values, which will force everyone to log out. Change passwords and ensure that multifactor authentication is enabled. This will verify everyone when they log back in."
Given the size of the company, Sharaf says it is likely Nvidia uses end-user behavior analytics. He advises monitoring for anomalous traffic patterns - assessing east-west traffic and privileged escalations.
While investigating its code, Sharaf says, Nvidia must ensure it did not suffer from code injection into the software supply lines. He also says that Nvidia must validate that the hashes of its software and applications have not been affected.
The Lapsus$ Group
The Lapsus$ ransomware group was virtually unknown prior to December 2021, when it targeted Brazil's health ministry. Its subsequent exploits targeted businesses mostly in Portuguese-speaking countries.
In Portugal, the ransomware group brought operations to a grinding halt at a TV channel and newspaper belonging to the country's largest media conglomerate, the Impresa Group (see: Portugal's Major News Websites Remain Offline After Attacks).
Days later, in Brazil, the threat group targeted Localiza, South America's largest car rental firm, by using a DNS attack to redirect visitors to a porn site.
The attack on Nvidia marks the group's foray outside of its favored hunting grounds. Last week, Lapsus$ conducted a poll on its Telegram channel asking subscribers whether it should first leak data from the Impresa Group, Vodafone or T-Mobile - the ransomware group's most recent targets.