The new hot name in ransomware attacks is Lapsus$. If you haven’t heard of them before, you’ve probably heard of some of the companies they attacked, including Nvidia, Samsung, and Impresa, a media conglomerate. What is interesting about Lapsus$ is that the attackers have not just stolen credentials or business-related content, but they went straight for the source code of the companies’ proprietary firmware. These tactics highlight the importance of having in place robust code signing security procedures.
But first things first. Let’s take a historic look at Lapsus$ ransomware group’s infamous attacks…
According to The Record, the largest media conglomerate in Portugal, Impresa, was a target of the Lapsus$ ransomware over the New Year holiday break. Impresa owns the country's largest TV channel and newspaper, SIC and Expresso. It was the Expresso Twitter account that the hackers used to bait the organization. The group tweeted that “Lapsus$ is the new president of Portugal” – demonstrating a flair for the melodramatic.
Other targets include Brazil’s Ministry of Health (MoH) and Brazilian telecommunications operator Claro. The Brazilian MoH lost 50 TB of data in the attack. The gang also claimed to have deleted the data that held the information needed to issue Covid vaccination certificates.
However, the most advanced attacks were the ones targeting Nvidia and Samsung. In the case of Nvidia, the gang stole and leaked the credentials of more than 71,000 Nvidia employees, source code of Nvidia’s DLSS (Deep Learning Super Sampling) AI rendering technology and information about six supposed unannounced GPUs.
Officially Nvidia acknowledged that they became aware of a cyber security incident, which impacted IT resources. Lapsus$ demanded that Nvidia remove its lite hash rate (LHR) feature. The LHR was created to limit Ethereum mining capabilities in the NVidia RTX 30 series graphics cards, after the cryptomining community depleted the stock in early 2021. The group is also asking Nvidia to open source its GPU drivers for macOS, Windows, and Linux devices.
A few days later, Lapsus$ announced on its Telegram channel that it had breached Samsung and offered evidence including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm.
Since they appear to be succeeding, Lapsus$ announced that they are looking to recruit insiders employed at telecommunications, software and gaming companies, among other technology businesses. The ransomware group specified that “they are not looking for data” but rather to buy remote VPN access to the corporate network. “Based on our investigation, the group is successful in their activities, and such tactics may generate a new trend in Dark Web for access brokers,” noted Christian Lees, CTO of Resecurity, Inc in an article for Security Affairs.
The threat of stolen code signing certificates
Lapsus$ is targeting source code and associated code signing certificates. Having possession and control over such source codes could create a massive supply chain reaction, which can lead to numerous organizations and machines being infected and harmed.
Attackers can use the compromised code signing certificates to sign malware, so it will appear to be legitimate and trustworthy and pass through screening, then be loaded and executed. In fact, according to Check Point, criminals have already exploited these stolen code signing certificates.
As part of the Nvidia leak, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes.
Code signing certificates assign a digital signature on executable software and firmware to mark them as trusted. Using these stolen certificates, attackers are disguising files and executables as legitimate, bypassing security controls and allowing malware to be uploaded to Windows.
“Stolen code signing certificates can be used to bypass security policies that require signed code to execute on a system. They can also be used by malicious actors to mimic a legitimate company,” said Pratik Savla, Senior Security Engineer at Venafi.
How to protect your code signing keys
"For years, we’ve been preaching to our customers that code signing keys are like master keys to a kingdom that has locks that can never be changed,” said Eddie Glenn, Sr Product Marketing Manager at Venafi.
The following steps can help you protect your code signing keys:
- Always secure the code signing keys in a protected facility offering encryption, like a Hardware Security Module (HSM).
- Always monitor and control the access to these keys to create an irrefutable log of every code signing operation.
- Access to critical code signing keys should follow principles like segregation of duties and two-man-rule.
- Control access to code signing keys with a clear set of whitelisting parameters.
Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities. You can protect your company’s software with a secure code signing process that is fast and easy for your developers to use.