Did Samsung and NVIDIA hackers target Vodafone’s source code too?  

The same hackers that targeted NVIDIA and Samsung's source code now claims to have Vodafone's source code and plans to release it.
11 March 2022

The source code is like the DNA for any application developed for or in an organization. A combination of words, numbers, letters, and symbols, it’s the language used to create software in computers, devices for any application.

While the world has been focused on cybercriminal activity in Russia and Ukraine, cybercriminals were wreaking havoc on organizations in other parts of the world as well. Last week, both Samsung and NVIDIA were targeted by the same hacker group.

The hacker group Lapsus$ claimed responsibility for both breaches. Lapsus$ compromised almost 200 gigabytes of confidential data, including the source codes for some of their technologies, and the algorithms for bromidic unlock operations.

According to Check Point Research, the Samsung leak also allegedly includes bootloader source code for recent Samsung devices, algorithms for all biometric unlock operations, source code for Samsung’s activation servers, the full source code used to authenticate Samsung accounts, and secret Qualcomm source code to boot.

Weeks before that, NVIDIA released a statement that a threat actor had taken employee credentials and some NVIDIA proprietary information from its systems, and leaked it online. Lapsus$ claimed responsibility and has since leaked part of the data, which included source code and other confidential information from NVIDIA’s GPU server.

The leak includes two stolen code-signing certificates used by NVidia developers to sign their drivers and executables. Citing different sources, attackers already started using these code signing certificates to sign malware so it will appear to be dependable and go through Windows´ screening to be loaded and executed.

Vodafone’s source code next?

 Interestingly, it seems that Samsung and NVIDIA were not the only ones targeted by Lapsus$. The ransomware gang now claims to have data from at least three other organizations.

CNBC reported that Lapsus$ asked their subscribers in a poll on messaging app Telegram: “What should we leak next?” followed by three options. They include around 200 gigabytes worth of Vodafone source code as well as the source code and databases of Portuguese media corporation Impresa and the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies. The poll ends on March 13.

Vodafone has said that they are aware of the claims made by Lapsus$ are investigating it with law enforcement. However, at this point, they cannot verify the creditability of the claim. Vodafone also said that the “types of repositories referenced in the claim contain proprietary source code and do not contain customer data.”

This is not the first time Vodafone has faced a cyberthreat. Just a month ago, Vodafone’s Portuguese unit had its services disrupted following a hacker attack. While no personal data had been compromised, Vodafone’s system did face some technical problems with thousands of consumers unable to make calls or access the internet.

As such, Check Point researchers feel that organizations should be mainly concerned about malware penetration into their corporate network via the aforementioned stolen certificates.

Unfortunately, some security solutions in the market still expose organizations to this supply chain threat, as they seem to automatically revoke the stolen certificates, most probably since they consider the vendor who produced the certificate as trusted by default.

“To keep your entire IT infrastructure safe, we recommend ensuring your network security gateways, as well as your endpoint device security solutions, have been updated with the appropriate protection against the stolen certificates. We also recommend that you download software updates from the formal vendor website and update your entire workforce to do the same,” said the researchers.