Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims — this time releasing data purportedly stolen from Samsung Electronics.
The consumer electronics giant confirmed in a media statement on Monday that a “security breach” had occurred related to internal company data — but said that customer and employee data were not impacted.
Lapsus$ had earlier announced on its Telegram channel that it had breached Samsung and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That’s according to Security Affairs, which also published a screen grab of the data leak.
“If Samsung’s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,” said Casey Bisson, head of product and developer relations at BluBracket, via email. “The TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.”
He added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.
“If Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,” he said. “Compromised keys would make this a more significant attack than NVIDIA, given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.
Ransomware Is Here to Stay
Obviously, the implications of source code and thousands of employee credentials out in the open are serious. The ransomware attacks on Samsung and NVIDIA, and even January’s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the ransomware business is booming, according to experts.
The websites of two of the main media organizations in Portugal @expresso and @SICNoticias are down, after an apparent hacking, according to their parent company, Impresa. pic.twitter.com/la2Pi9JRgG
— Mia Alberti (@mialberti) January 2, 2022
“Ransomware is not going away,” Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. “It’s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.”
Ransomware Risk Vectors Abound
Those steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, “ideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.”
The group’s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.
“Obviously a very concerning development for Samsung and NVIDIA if true,” he said. “What this also demonstrates is the vulnerability of data in any data store within organizations.”
He explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.
“Most security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,” Das added. “However, confidential or sensitive data is spread in more than just structured data stores.”
In the case of Samsung, beyond releasing the company’s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.
“In the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn’t have been feasible,” Das said. “Security, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.”
Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.