NVIDIA: Lapsus $ threatens to publish the code Malware and virus security

Lapsus $ has threatened to publish the source code of NVIDIA if their conditions, such as the elimination of the LIte Hash Rate, are not met.


The Lapsus $ group has asked the Californian company to eliminate the hash rate limiter of GeForce RTX 30 video cards, otherwise the firmware source code and details on future GPUs included in the 20 GB archive stolen on February 23 will be published. According to the Have I Been Pwned website, cybercriminals stole NTLM hashed email addresses and passwords from more than 71,000 employees.

Lapsus $: Double threat to NVIDIA

The Lapsus $ group reported that they had accessed NVIDIA's internal systems and stolen over 1 TB of data (firmware, drivers, development tools, and more). The Californian company didn't give in to the threats, so the cybercriminals released a 20GB archive that includes employee passwords and some proprietary information. NVIDIA confirmed this on March 1, but hasn't provided any other updates since.

According to the Have I Been Pwned website, Lapsus $ has shared NTLM hashed email addresses and passwords to more than 71,000 employees. NVIDIA now has approximately 19,000 employees worldwide, so the credentials also belong to former employees.

The cybercriminals have placed two conditions not to disclose the source code of the signatures and information about developing GPUs (such as the GeForce RTX 3090 Ti): open source future drivers and remove the Lite Hash Rate from GeForce RTX 30 video cards, namely the limiter that prevents you from harnessing the power of GPUs for cryptocurrency mining.

Among the finished data online are also two digital certificates that NVIDIA uses to sign the drivers. Some security researchers have found that these certificates have been used to sign various types of malware and hacking tools, including Cobalt Strike, Mimikatz, backdoor, and RAT (Remote Access Trojan). The certificates have expired, but Windows still allows you to load the drivers. Microsoft should then add the certificates to the Certificate Revocation List (CRL).