The LAPSUS$ group, which proved to hack the NVIDIA infrastructure, ad recently a hack similar to Samsung in its Telegram channel, to which Samsung confirmed that it suffered a data breach in which sensitive information was stolen, including the source code of its Galaxy smartphones.
The theft happened late last week and it was Lapsus$, the same hacker group that was behind the Nvidia data theft, as reported on March 1. Lapsus$ claims to have stolen 190 gigabytes of data, including Trust Applet source code, algorithms for biometric unlock operations, bootloader source code, and confidential Qualcomm source code.
the group too claimed to have stolen the source code from Samsung's activation server, Samsung accounts and source code and various other data.
The form of attack that resulted in the data theft is unclear. Lapsus$ is known for its ransomware attacks, but it is not the only type of attack in which the gang participates. As with Nvidia, the Samsung hack may have been simple data theft and extortion rather than direct use of ransomware.
Samsung officially refers to the theft as a "security breach related to certain internal company data."
"Based on our initial analysis, the breach involves some source code related to the operation of Galaxy devices, but does not include the personal information of our consumers or employees," Samsung said in a statement reported by Sammobile. “Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without interruption."
It is reported that around 190 GB of data was leaked, including source code for various Samsung products, boot loaders, authentication and identification mechanisms, activation servers, Knox mobile device security system, online services, APIs, as well as proprietary components supplied by Qualcomm, including the announcement of receiving the code of all TA-applets (Trusted Applet) running in an isolated hardware enclave based on TrustZone (TEE) technology, key management code, DRM modules and components to provide biometric identification.
The data has been released into the public domain and is now available on torrent trackers. Regarding NVIDIA's previous ultimatum to transfer the drivers to a free license, it is reported that the result will be announced later.
“Trojan apps that harvest contacts and credentials from other apps, such as banking apps, are fairly common on Android, but the ability to crack a phone's biometrics or lock screen has been limited to highly-funded threat actors, including state-sponsored espionage.” Casey Bisson, head of product and developer relations at code security firm BluBracket
"The leaked source code could make it substantially easier for less well-funded threat actors to execute more sophisticated attacks on the more secure features of Samsung devices."
It was noted that the stolen code could enable sophisticated attacks such as cracking a phone's lock screen, exfiltrating data stored in the Samsung TrustZone environment, and zero-click attacks that install persistent backdoors on victims' phones.
Also included in the torrent is a brief description of the content available in each of the three files:
- Part 1 contains a source code dump and related data on Security/Defense/Knox/Bootloader/TrustedApps and various other items
- Part 2 contains a source code dump and data related to device security and encryption.
- Part 3 contains various Samsung Github repositories: Mobile Defense Engineering, Samsung Account Backend, Samsung Pass Backend/Frontend, and SES (Bixby, Smartthings, Store)
It is unclear whether Lapsus$ contacted Samsung for ransom, as they claimed in the Nvidia case.
Finally if you are interested in knowing a little more about it, you can check the details In the following link.