Samsung has suffered a data breach and the cybercriminals responsible are teasing the data they have stolen.
It’s concerning for an organisation to have any data stolen by cybercriminals – but it will be the potential leak of confidential source code that’s keeping Samsung’s executives awake at night. The exposure of such highly confidential, strategic information could be devastating for Samsung and their security teams will be working to ascertain exactly what data was stolen – and whether there might be further leaks to come.
This attack, following the one on NVIDIA, further confirms that Lapsus$ is a force to be reckoned with – and that organizations must not ignore the threat of extortion gangs. As this incident shows, hackers can access even the largest conglomerates, which are likely to have robust security protections in place. In the current environment of heightened security risk, it’s imperative that organisations of all sizes heed the NCSC’s advice and prioritise cybersecurity preparedness.
Hacking Samsung is no easy feat, but it goes to show that however mighty your organisation may be, you’re not immune.
According to Samsung, the affected code does not include any PII of either consumers or employees, but that doesn’t mean that this hack doesn’t have far-reaching consequences for users.
Firstly, and most significantly, source code relating to Knox, Samsung\’s defence-grade security platform, and TrustZone, Samsung\’s security-focused processor architecture, was stolen. Such code, in the hands of bad actors, could have disastrous consequences. Not only could threat actors probe this code for vulnerabilities, but if the attack group is particularly skilled, which Lapsus$ certainly appears to be, they could in theory bypass security protocols on affected units in order to gain access to company networks. Of course, this all depends on whether they can find useful exploits but having source code will certainly help in that endeavour.
Also of concern was stolen code relating to the bootloader which controls the startup process of Samsung smartphones. Although the data partitions are usually encrypted and so shouldn’t allow data theft without the usual PIN or password, this could allow low level control of the device. If the bootloader is in ROM and exploits are found, then, for those devices, they can never be fixed, as Apple found with CheckRa1n. Android devices, however, tend to use flash so they can be updated.
Samsung Galaxy users, and specifically those within organisations, should ensure that all devices are up-to-date and running the latest firmware.
Ransomware is one of the most significant dangers to businesses worldwide. Samsung confirmed that it has been hacked and that source code has been stolen. The ransomware gang Lapsus$ has released a massive amount of confidential data from Samsung only one day after disclosing the credentials of 71,000 Nvidia employees.
Businesses must guarantee that data, whether it is credit card information, passwords, or health information etc, is encrypted to avoid becoming an easy target for cybercriminals.
Strong encryption, when properly applied, is a business asset and a tool in the arsenal of successful companies. The widespread adoption of strong encryption will reduce the ongoing incentive for businesses to pay ransoms, a harmful tendency that promotes the global expansion of cybercriminal operations.
Stolen source code is a scary prospect for organisations, and unfortunately, it opens the door for potential further cyberattacks on the business and its customers. The Lapsus$ data extortion group stole 190GB of data which apparently contains ‘confidential Samsung source code’, including code relating to the operation of Galaxy devices, algorithms for all biometric unlock operations, and technology used for authorising and authenticating Samsung accounts. Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product. This means that cyber criminals are then able exploit weaknesses within the network which are unknown to the organisation.
Although Lapsus$ teased their followers about the leak, the group is yet to release all the data. It is not uncommon for stolen data to be bought and sold by cyber criminals on the dark web. Once multiple threat actors have their hands on an organisation’s security details and weaknesses, then unfortunately, they are more likely to be targeted. Only one cyberattack has to be successful in order to cause significant and irreversible damage to an organisation, therefore businesses must ensure that they have a cybersecurity solution which can stop the possibility of source code being stolen.
Endpoint detection and response (EDR) is no longer enough, with the solution needing malware to execute before it can be picked up as malicious.With some of the fastest ransomware now encrypting within 15 seconds of being executed, organisations need to look towards prevention-first solutions.
Technologies, such as deep learning – a subset of AI, are able to stop malware before data can be stolen. Deep learning delivers a sub-20 millisecond response time to stopping a cyberattack before it can execute and take hold of an organisation’s network. If organisations were to implement solutions, such as deep learning, users on the dark web will be seeing less and less ‘bargain deals’ for an organisation’s sensitive data.
The attackers have teased stolen source code taken from various parts of the Samsung network, I believe that this breach is genuine and it could cause significant damage to the company.
Some specific parts of the code that have been leaked are key security components for Samsung devices, this could make cracking and breaking into phones easier. I expect attackers to test if biometric security controls such as fingerprint and face ID can be bypassed. This could even be leveraged by law enforcement and could be a privacy concern for Samsung users. We have seen several issues in the past with breaking into phones being challenged, most notably the FBI Apple Encryption Dispute.
In theory, this breach could make it easier for malware to be written to exploit phones remotely, and since Samsung is widely used the attack surface could be large and lucrative for cybercriminals.
The potential consequences of this breach again highlights the importance of cybersecurity for all organisations. Protecting any organisation from the impact of a cyber- attack comes down to ensuring that there is visibility across the IT estate to identify any problems and to have the control in place so that any issues can be fixed at speed. In the aftermath of an attack, it is important to immediately start the process of damage control, to mitigate the impact as much as possible – and having appropriate back-up and disaster recovery solutions in place is crucial to doing so.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics