While we have yet to see a global security crisis similar to the 2020 SolarWinds hack or the recent Log4J vulnerability, recent months haven’t been quiet. Ransomware has continued to plague organizations of all sizes and of all levels of cybersecurity maturity, COVID phishing scams continue to run rampant, and we’re seeing unprecedented state-sponsored activity in Eastern Europe as the Ukraine-Russia conflict continues to rage. Today, we want to take a look at the top 5 hacks of the first quarter.
1. Wormhole Bridge: Over $300 million in cryptocurrency stolen
On February 2nd, Wormhole Bridge suffered a catastrophic cyberattack that resulted in the loss of 120,000 (300 million dollars’ worth) of wrapped Ethereum. Wormhole Bridge is a company that allows users to transfer crypto assets between various blockchains (called a “bridge”) by locking the asset on the original chain and minting a new token on the target chain that contains the “wrapped” cryptocurrency, where it can then be exchanged for that blockchain’s native tokens. The hacker was able to conduct their heist by exploiting design errors in the technology that allowed the hacker to mint over a hundred thousand tokens on the Solana blockchain before transferring it to the Ethereum blockchain. Despite having “guardians” that provided oversight to significant transactions, the attacker was able to spoof the guardian signatures required to mint the Wrapped Ethereum. According to reports, the Wormhole developers have reached out to the attacker and offered them a $10 million bug bounty in exchange for the return of the Wrapped Ethereum and the exploit details.
2. Nvidia loses over 1TB of proprietary company data
In February, Nvidia became yet another victim to the Lapsus$ extortion gang. The hackers were able to get out with over a terabyte of data, having obtained chip architectural diagrams, confidential firmware drivers, employee credentials, code-signing certificates, and other proprietary documents. Lapsus$ had two primary demands for Nvidia: the removal of Hash-Rate Limiters which hamper performance for crypto mining operations from their consumer graphics cards, and that Nvidia forever fully open-source their graphics drivers for all platforms. Lapsus threatened that chipset trade secrets, architectural diagrams, and all driver code-signing certificates would be leaked if the demands weren’t met. Following Nvidia’s silence, Lapsus$ began releasing employee credentials and code-signing certificates, allowing malicious hackers to sign their malware with Nvidia’s (until recently) legitimate certificate. This creates an avenue for malware to slip through trustworthy antivirus solutions because of the “trusted” vendor certificate.
In an interesting turn of events, Nvidia was able to utilize their Mobile Device Management (MDM) software to remotely encrypt the system that was the conduit for the hack in the first place, effectively locking up the 1TB of data that was exfiltrated. Unfortunately, Lapsus$ had already copied the data out of the system, so they remained in possession of the unencrypted data.
LAPSU$ extortion group, a group operating out of South America, claim to have breached NVIDIA and exfiltrated over 1TB of proprietary data.
LAPSU$ claims NVIDIA performed a hack back and states NVIDIA has successful ransomed their machines
Intel and photos courtesy of @S0ufi4n3 pic.twitter.com/fXcTNqgIpW
— vx-underground (@vxunderground) February 26, 2022
3. HubSpot data breach creates new avenues for crypto scams
HubSpot was notified on March 18th that the data of around 30 customers were exfiltrated by a rogue employee who allowed their account to be compromised. According to Threatpost, all thirty customers share one thing in common; they were all cryptocurrency firms. One of the affected companies, Swan Bitcoin, initially stated that they only used HubSpot for minor marketing purposes, meaning that no sensitive PII such as social security numbers, birthdates, or financial information was lost. In the days following, however, they uncovered that some PII such as transaction information and client net worth data was erroneously included in the CRM dataset against company policy. This data only made up 1.2% of the overall dataset, and Swan has indicated that the sensitive data has been removed from their CRM, but that personal data is still out in the wild. When a financial institution loses their customers’ data, it presents a significant risk to all affected customers as they are far more likely to be targeted for financial scams and phishing attempts.
4. Okta hacked by Lapsus$ ransomware gang
In late March, details emerged about a data breach of the IAM service provider Okta, as claimed by the Lapsus$ ransomware and extortion group. The breach happened when Lapsus$ compromised a Sitel Customer Support Engineer’s Okta account in late January. According to a report prepared by Mandiant, the attackers were methodical in their exploitation of the network by doing their due diligence in phases. Lapsus$ gained an initial foothold, established persistence, moved laterally through the network, and conducted reconnaissance to monitor for signs of detection. Initial reports suggested that over 400 customers were affected (2.5% of all Okta customers), but recent reporting indicates that the actor only accessed two customer tenants and viewed limited information in adjacent applications such as Slack or Jira. The good news for Okta is that this attack could have been significantly worse, a problem most identity management firms must accept when they hold the keys to the proverbial kingdom for their clients.
5. Email marketing platform MailChimp exploited to launch Crypto Phishing Scams
Earlier this month, a social engineering attack on Mailchimp employees resulted in a breach of employee credentials. The credentials were leveraged to access 319 MailChimp accounts, the mailing lists of 102 accounts, and the API keys for an unspecified number of customers. Their access was used to launch highly sophisticated phishing campaigns targeting Cryptocurrency firms, as announced by the cryptocurrency wallet company Trezor. The victims publicly acknowledged the phishing attempts, which came in the form of a fake security incident notification email. The email contained a link that was supposedly a download for a patch for Trezor Suite that was hosted on an extremely well-crafted fake copy of Trezor’s webapp. Also impacted was Decentraland who had the list of their newsletter subscribers’ email addresses leaked in the breach.
Third-party vendors, particularly marketing platforms, identity management services, and managed service providers continue to be a constant target for malicious actors as they allow for further downstream compromise. Even better, the downstream targets are decentralized so organizing a response to the various data breaches can be extremely difficult in the best of times. Crypto firms also continue to have large targets on their backs, given the pseudo-anonymous nature of cryptocurrency and what happens when fresh crypto projects find themselves unable to protect the assets under their control. Ransomware continues to rage on, particularly against government organizations, municipalities, and non-profits where budgetary spending on security can be scarce. Things haven’t been quiet, but we also haven’t hit a SolarWinds doomsday event yet, either.