Source code is like the DNA of any application developed for or in an organization. A combination of words, numbers, letters and symbols, it is the language used to create software in computers, devices for any application.
As the world focused on cybercriminal activities in Russia and Ukraine, cybercriminals were also wreaking havoc on organizations located in other parts of the world. Last week, Samsung and NVIDIA were targeted by the same group of hackers.
Hacking group Lapsus$ claimed responsibility for both breaches. Lapsus$ compromised nearly 200 gigabytes of confidential data, including the source codes of some of their technologies and the algorithms for bromodic unlock operations.
According to Check Point Research, Samsung’s leak also allegedly includes bootloader source code for recent Samsung devices, algorithms for all biometric unlock operations, source code for Samsung’s activation servers, complete source code used to authenticate Samsung accounts and Qualcomm secret source code to boot.
A few weeks earlier, NVIDIA released a statement that a threat actor took employee credentials and certain proprietary NVIDIA information from its systems, and leaked it online. Lapsus$ claimed responsibility and has since leaked some of the data, which included source code and other confidential information from NVIDIA’s GPU server.
The leak includes two stolen code signing certificates used by NVidia developers to sign their drivers and executables. Citing different sources, attackers have already started using these code signing certificates to sign malware so that it appears trustworthy and goes through Windows filtering to load and run.
Vodafone’s source code next?
Interestingly, it looks like Samsung and NVIDIA weren’t the only ones targeted by Lapsus$. The ransomware gang now claims to have data from at least three other organizations.
CNBC reported that Lapsus$ asked its followers in a poll on the Telegram messaging app: “What should we disclose next?” followed by three options. They include about 200 gigabytes of Vodafone source code as well as source code and databases from Portuguese media company Impresa and source code from MercadoLibre and MercadoPago, two Argentinian e-commerce companies. Voting closes March 13.
Vodafone said it is aware of the Lapsus$ allegations and is investigating with law enforcement. However, at this stage, they cannot verify the credibility of the claim. Vodafone also stated that the “types of repositories referenced in the claim contain proprietary source code and do not contain customer data”.
This is not the first time that Vodafone has faced a cyber threat. Just a month ago, Vodafone’s Portuguese unit saw its services interrupted following a hacker attack. Although no personal data was compromised, Vodafone’s system encountered technical problems with thousands of consumers unable to make calls or access the internet.
As such, Check Point researchers believe that organizations should be primarily concerned about malware entering their corporate network via the aforementioned stolen certificates.
Unfortunately, some security solutions on the market still expose organizations to this supply chain threat, as they seem to automatically revoke stolen certificates, most likely because they consider the vendor who issued the certificate to be trusted by default. .
“To ensure the security of your entire IT infrastructure, we recommend that you ensure that your network security gateways, as well as your endpoint security solutions, have been updated with the appropriate protection against stolen certificates. We also recommend that you download software updates from the vendor’s official website and update your entire staff to do the same,” the researchers said.