Nvidia Data, Credentials Stolen in Cyberattack
Chipmaker Nvidia is the latest large enterprise to fall victim to a cybersecurity breach, one which resulted in the theft of some employee credentials as well as some of the company’s proprietary information. The attack, which was first reported in Bloomberg news on March 1, was first noticed by the company on February 23.
The hacking group Lapsus$ claimed responsibility for the attack and, according to a report in PCMag, made off with more than a terabyte of data.
The group began leaking some of those files online while demanding cryptocurrency payments from Nvidia to keep the data secret.
“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” a company statement confirmed to various news outlets. “Our team is working to analyze that information.”
The company’s statement added that it currently had “no evidence” that the attack was related to the conflict between Russia and Ukraine.
“We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident,” the statement said, although.
Nvidia Hacked Back
In a twist, screenshots from the Lapsus$ group’s Telegram channel claimed that Nvidia launched a counterattack; connecting to a virtual machine and deploying ransomware of their own and encrypting data.
“Access to Nvidia employee VPN requires the PC to be enrolled in MDM (mobile device management). With this, they were able to connect to a [virtual machine] we use. Yes, they successfully encrypted the data,” the group claimed in a message. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts. [sic]”
Emsisoft threat analyst Brett Callow noted on Twitter that the Telegram channel where these messages were posted is now “temporarily inaccessible.”
“While hacking back is not common, it has certainly happened before,” Callow replied. “Deploying ransomware on the attackers’ network may prevent them from leaking whatever data they exfiltrated.”
Nvidia did not comment on the alleged ransomware counterattack. While a counterattack may seem justified, Avast security evangelist Luis Corrons said in a blog post that doing so is a slippery slope.
“Hacking back is a delicate subject,” he said. “We have to remember that most hacking actions are illegal, which means that Nvidia would have committed a potential crime. Handing all evidence to law enforcement is better in the long term to help identify and arrest the criminals behind the original attack.”
High Degree of Skill
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyberrisk remediation, pointed out there are several ways that threat actors can steal credentials, some of which require a relatively high degree of skill.
One example would be installing malware that can record traffic and keystrokes to capture a user’s login credentials.
“However, the most common attack vector for credential theft remains email-based phishing attacks,” he said. “The first line of defense should be the users themselves, with adequate training and an organizational culture that encourages secure behaviors.”
However, Parkin added the security stack should also include email filters that can identify and block—or at least alert on—suspicious emails.
“Add in safe browsing technologies that can prevent malicious sites from downloading malware to the endpoint and endpoint defenses that can stop malware when it does come down,” he said. “Finally, implementing a secure multi-factor authentication scheme can prevent unauthorized access even when user IDs and passwords have been compromised.”
Keeping Secrets
Prakash Linga, co-founder and CEO at BluBracket, a provider of code security solutions, said recently hackers have been searching code in public repositories where developers frequently leave secrets, API keys and other credentials in code.
“These credentials are then used to access infrastructure,” he said. “We are all aware of phishing and social engineering to steal credentials.”
Linga said companies need to employ secrets management and also code security solutions to arm developers with tools to keep secrets and credentials out of code.
They should also invest in code security tools that scan all code for credentials and look at the wider universe of public code for their credentials.
“Many times, developers copy code into their own repositories and unwittingly share secrets,” he pointed out.
Parkin noted if the attacker starts to leak that information online, as is the case with Nvidia, it can be very challenging when a threat actor follows through with their extortion threat and starts revealing sensitive information they’ve stolen from a target organization.
“User IDs and passwords can be reset but revealing intellectual property or other confidential information can have far-reaching consequences for the target,” he said. “What they can realistically do about it depends on many factors, including the nature of the data and where the threat actors are based.”
Linga added an organization absolutely must revoke and change all secrets and credentials, even if they aren’t aware they have leaked.
“It’s so easy to clone and publish code, you have to assume they have been compromised,” he said. “Nvidia is hardly the only large company that has been attacked this way.”
He added hackers increasingly understand there is a treasure trove of credentials in code and most companies have yet to implement code security solutions; however, people are finally waking up to the threat.
Parkin pointed out over the last several years there’s been a rising trend of hybrid attacks that combine ransomware with extortion. These types of attacks are often launched against larger targets and the attackers demand greater payouts.
That they can get in, even against organizations with a mature security stack, shows how sophisticated these threats have become, and the situation is made even more complex when nation-state and state-sponsored groups are behind the attacks.
“Ultimately, the solution will probably come down to a mix of international legislation, cooperation and technical defenses that can keep attackers at bay,” Parkin said.
