Global Chip Maker Nvidia Gets Breached

DESCRIPTION

You can be one of the largest and most innovative technology companies in the world and still be a victim of a cyberattack. Case in point is the multinational chipmaker, Nvidia, who confirmed in early March 2022 that they had been victimized by a data breach. In a statement to CNN, a company spokesperson explained that a weeklong internal investigation verified that a breach had taken place and that employee credentials and Nvidia proprietary data had been compromised and leaked. The attack was first detected on February 23 and while its timing coincided with the Russian offensive upon the country of Ukraine, there is no evidence that the attack is related to the conflict. While some systems were down for two days, Nvidia stated that the attack wasn’t ransomware related and that it expected no further disruptions to operations other than those related to the investigation itself.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

Although it is unknown just how the attack was first identified, a ransomware group called Lapsus$ took credit for the attack by announcing it on their Telegram channel on Feb 24. To prove their involvement the group posted screenshots showing some samples of the proprietary code that Nvidia uses as well as hashed passwords of Nvidia employees. They also posted a link to an 18 GB data dump containing additional data that they claim represents a small portion of the 1 TB of exfiltrated data that the group claims to have obtained. The group’s claims have been confirmed by a third-party cybersecurity team. In particular, the group claims to be in possession of source code for Nvidia’s hash rate limiter. Nvidia manufactures GPU chips that are used for highly intensive graphical interface applications such as gaming. Besides using the extortion threat of releasing additional sensitive information, the group is demanding that Nvidia remove the LHR hashrate limiter from their GPU chips as they claim it negatively impacts crypto mining as well as gamers. It is believed that Lampus$ initiated the attack through a phishing attack which they have used in prior attacks including one on a Portuguese media group and two South American telecommunication providers in recent months. They are also known to exploit social media accounts.

The most disturbing aspect of this attack is the fact that two of NVIDIA’s code-signing certificates were included in the exfiltrated data. Security analysts have now confirmed that malicious code binaries have been discovered that were signed with the stolen certificates. By signing malware with the stolen certificates, a threat actor can fool a Windows controller mistakenly verifying the malware as a legitimate NVIDIA update or program, allowing it to infect the machine at the kernel level. While the certificates are expired, they can still be used to fool older Windows computers.

CONTAINMENT (If IoCs are identified)

Upon discovering the attack, Nvidia immediately set about hardening their network and initiated their incident response plan. They notified law enforcement and obtained the help of forensic investigators. In an unusual twist, Lampus$ claims that Nvidia responded by attacking them in return. The group reported that Nvidia managed to encrypt their virtual machines, but the group had backups of everything and were able to recover. Nvidia has not responded to the assertion that they struck back.

PREVENTION

Because most malware attacks utilize email as their deployment mechanism, it is imperative to have a way to secure your email environment. Some organizations have gone as far as to enforce text-only email that forbids the use of embedded hyperlinks. While this is viewed as extreme by many users, it is the only sure way to stop users from clicking on links. If you don’t want to be that restrictive, then an advanced email security system is required. These modern-day email protection systems go far beyond mere spam filtering. They also include the capability to re-write URLS within email to force user clicks to go through a security inspection before reaching the URL destination, embedded antivirus protection, real-time blacklists, heuristic analytics, and sandboxing. Organizations should also implement training programs that focus on cyber hygiene so that users can better identify an email that looks suspicious. Email and remote access systems should be reinforced by multifactor authentication (MFA) systems to add a second verification method as passwords alone are no longer sufficient to protect users accounts from being compromised. Companies should assume that their network will get breached at some point so it is essential to encrypt data at rest so that in the event of being compromised, attackers will not be able to access it.

Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile.


Cyber Data Breach News

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.