Data stolen from Nvidia, blueprints leak threatened

Also don't try to unlock your GPU cards with fake mining tool, and more

In brief Nvidia is probing a cyberattack that caused outages within its internal network.

It's said that email and developer systems were knocked over during the intrusion, which was discovered three days ago. The GPU giant continues to investigate.

In a statement, an Nvidia spokesperson told The Register on Friday: "Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don't have any additional information to share at this time."

A source speaking to Bloomberg described the security breach as relatively minor, and said it was not connected to Russia's invasion of Ukraine.

In an updated statement on February 28, Nvidia told us it does not believe ransomware was involved but that data was stolen from its network and leaked online:

On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.

We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.

The LAPSUS$ cyber-extortion gang took credit for the intrusion, and alleged it stole 1TB of schematics, driver and firmware code, documentation, SDKs, and more. The crew claimed it leaked a 19GB archive of those files online, which includes what may be the source code to Nv's Deep Learning Super Sampling (DLSS) and other components.

The crooks said unless Nvidia releases a software update that removes its recent crypto-coin mining limiter, they will leak what sounds like internal hardware documents – a hw folder, specifically. Curiously, the gang is also selling what it claims to be a tool that removes the mining limiter.

Separately this week, a Windows application called Nvidia RTX LHR v2 Unlocker was released that claimed to eliminate the mechanisms Nvidia put in place to hamper the mining of cryptocurrencies on graphics cards aimed at gamers.

Now the Red Panda Mining forum has issued an alert, saying not only does the program not actually bypass Nvidia's mining limiter, but on installation it infects the system with malware, including a remote-control backdoor and code that extracts digital money stored on the machine. Below is a video with more info:

Youtube Video

Bottom line is, don't install this application.

Anonymous says it's at war with Russia, Conti threatens retaliation

As the Russian invasion of Ukraine continues, two notorious internet bodies are picking sides.

On Thursday a Twitter account associated with the Anonymous collective declared it was urging members to attack Russian government and commercial websites in light of the occupation. It apologized to Russians caught up in the cyber-assaults, and said President Putin's unprovoked military action could not be allowed to go unchecked.

"We, as a collective want only peace in the world," the Anons said. "We want a future for all of humanity. So, while people around the globe smash your internet providers to bits, understand that it's entirely directed at the actions of the Russian government and Putin."

Shortly afterwards the websites of Russian state-controlled channel RT and the state-owned Gazprom power company, as well as some government sites, disappeared offline. Anonymous claimed its people were behind the outages.

Then on Friday the Conti cyber-criminal gang, which is based in Russia, warned it too was stepping into the fray. Conti, which was responsible for last year's crippling of the Irish Health Service via a ransomware attack, said it did not support the war, nor was it acting at the behest of the Russian government, but would retaliate against any cyberwarfare by the West.

"As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world," it warned in a statement seen by El Reg.

The FCC, America's communications watchdog, is reportedly attempting to identify telecoms providers and other companies it oversees that have close ties to Russia, in case a further crackdown on Moscow is needed following the invasion of Ukraine.

Ransomware attacks almost double and recovery rates are dropping

More bad news on the ransomware front this week, with a couple of reports claiming global infection rates went up 92.7 per cent last year and that recovering from an attack – even if you pay up – is getting harder.

NCC Group released figures indicating a huge jump in the use of ransomware, with America the top target at 53 per cent of monitored infections, and Europe at 30 per cent. The top targets remain government organizations and the industrial sector, which account for around 20 per cent each of the total.

"Many of the dangers which we first identified at the start of the pandemic have snowballed in 2021, revealing a developing threat landscape with ransomware attacks on the rise,' said Matt Hull, NCC's global lead for strategic threat intelligence.

And the news isn't good for those afflicted either. ID management house Venafi this week reported that 35 per cent of those that actually paid the ransom still couldn't get heir data back. In cases of double attacks, when the public exposure of stolen data is threatened, 18 per cent of those who paid still had their information leaked, compared to 16 per cent who suffered a similar fate after refusing to pay the ransom. 

Interestingly, the report noted that 32 per cent of attacks were employing so-called triple attacks, where the attackers use the purloined data to threaten suppliers and customers. Nearly two thirds of those surveyed said they would more likely pay up as a result of these extra threats.

America's number one... in value to criminals, at least

An interesting analysis of adverts placed by access brokers, who sell access to compromised systems, has found Americans are still the top target, although the UK is only just second in terms of monetary value.

After going through two years of cyber-crime forum postings, the team at Crowdstrike noted that 55 per cent of ads were for US companies and individuals, and they topped the cost chart with an average value of $3,985 per system. The second most valuable nation was the UK, at $3,925, although it only accounted for 7 per cent of adverts.

Government institution access is the most expensive sector covered in the report, with an average cost of $6,151, closely followed by the finance industry. In some cases access brokers were charging five-figure sums for vital accounts.

"The academic sector has historically been a popular focus of ransomware operations, with intrusions timed to coincide with the start of a new school term to cause the greatest disruption and in turn encourage a quick ransom payment," the report states.

"Almost 40 per cent of the academic sector advertisements were for access to US-based institutions, with a spike in activity noted in August 2021 that coincides with the start of the new semester."

Low-tech cyber-fraudster admits crimes

A Nigerian credential-stuffer who managed to bilk HR departments out of around $800,000 pleaded guilty this week to one count of computer fraud in the Southern District of New York.

Charles Onus, 34, was arrested in 2021 in San Francisco on his way to Las Vegas after being accused of taking part in an organized campaign to target human resources and payroll staff to divert funds into other accounts. Rather than using high-level computer skills, Onus and his pals took existing credentials leaked in past attacks and banked on staff reusing passwords and login data. 

As any security professional will not be surprised to learn, it was very successful. Onus admitted diverting around $800,000 in purloined funds using the cracked work accounts at US companies from July 2017 to 2018.

"Charles Onus admitted to participating in a scheme to steal hundreds of thousands of hard-earned dollars from workers across the United States by hacking into a payroll company's system and diverting payroll deposits to prepaid debit cards he controlled," said Damian Williams, US Attorney for the Southern District of New York.

"Our office will continue to work with our law enforcement partners to zealously arrest and prosecute those who seek to commit cybercrimes targeting Americans from behind a keyboard abroad." ®

Similar topics

Other stories you might like

  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading
  • Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training
    Windows giant carries a PyTorch for chip designer and its rival Nvidia

    Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.

    “Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”

    AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

    Continue reading
  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading

Biting the hand that feeds IT © 1998–2022