Incident & Breach Response
Thousands of Employee Email IDs, NTLM Password Hashes Leaked
Ransomware gang Lapsus$ has leaked credentials of 71,000 Nvidia employees on a Telegram page, Information Security Media Group has found.
See Also: DDoS Defense in a Hybrid Cloud World
The data is likely to have been stolen in a data breach last month.
Data breach notification service Have I Been Pwned on Thursday confirmed that the chipmaker’s proprietary code and employee data had indeed been leaked in the February attack. More than 70,000 employee email addresses and NTLM password hashes were also publicly distributed, the company says.
Nvidia Acknowledges Breach
On Thursday, Nvidia published a report, acknowledging that a threat actor had stolen employee passwords and undisclosed Nvidia proprietary information from its systems. This data, it adds, has been leaked online.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident, which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement,” the company says in its report.
“We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict,” it adds.
The chipmaker says that even as it continues to investigate the breach, it has advised its employees to change passwords. Nvidia says it does not anticipate any disruption to its business or its ability to serve customers as a result of the incident.
A spokesperson for Nvidia did not immediately respond to ISMG’s request for additional details.
Days after Nvidia’s reported cyberattack, the Lapsus$ ransomware group released a portion of the highly confidential stolen data, comprising source codes, GPU drivers and documentation on Nvidia’s fast logic controller product, also known as Falcon and Lite Hash Rate or LHR GPU (see: How Lapsus$ Data Leak May Affect Nvidia and Its Customers).
On Wednesday, the hacking group demanded $1 million and a percentage of an unspecified fee from Nvidia for the Lite Hash Rate (LHR) bypass. The LHR GPU is designed to restrict cryptomining without compromising gaming performance.
ISMG was able to verify the gang’s claims and spotted a Telegram channel named Lapsus$, with under 12,176 subscribers, claiming to have breached the database and shared some samples of leaked data, in addition to asking for ransom.
ISMG contacted security experts to ask them about mitigation strategies.
Ioannis Fragkoulopoulos, customer security and professional services director at cybersecurity firm Obrela Security, says the first thing that all Nvidia customers should do is update their account login details, and not just for the stolen accounts.
“Attackers could use the already-leaked information to gain access to a number of user accounts to steal more information or launch larger attacks targeted at company networks,” he tells ISMG.
Thomas Stoesser, director at cybersecurity firm comforte AG, says organizations must be attentive to the way that they handle and process sensitive customer data and treat their own sensitive information with the same care and diligence.
“Threat actors are also interested in knowing more about the targeted companies themselves. Knowledge such as trade secrets, corporate strategies, inventions, their employees and any other bits of sensitive information would create leverage in a ransom and blackmail situation,” Stoesser says.
Practicing Cyber Resilience
Fragkoulopoulos says that organizations must practice cyber resilience and take steps to mitigate the risks cyberattacks pose before they actually happen.
“Cyberattacks are here to stay, so the only defense today is getting into a post-breach mindset before they happen to limit the negative outcomes. While there can be no denying that data breaches are commonplace, you would hope a company as large as this would learn from previous incidents to harden its systems and improve security,” Fragkoulopoulos says.
Stoesser says for any enterprise, the most common ways of preventing data leaks and breaches, such as traditional perimeter security and classic encryption, don’t necessarily account for the fact that sensitive data may ultimately fall into the wrong hands anyway.
“For this reason, datacentric approaches to security, such as tokenization and format-preserving encryption, safeguard the data itself. They do so in a way that organizations can work with data without de-protecting it,” he says. “Enterprises handling and processing sensitive data should explore datacentric security as another valuable and necessary tool in their cybersecurity toolbox.”