Source code under attack: the Samsung breach

Why Samsung Galaxy’s Source Code was Compromised

“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” a Samsung representative reported.

They continued, “According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”

The breach resulted in almost 200 gigabytes of confidential data being compromised. This data was subsequently dumped publicly via Torrent. The data included:

• Source Code for various technologies, including Galaxy smartphones and activation servers
• Full Source Code for authorizing and authenticating Samsung accounts, including APIs and services
• Source Code for every Trusted Applet (TA) installed within Samsung’s TrustZone environment used for sensitive operations, including hardware cryptography, binary encryption, and access control
• Algorithms for all biometric authentication unlock operations
• Confidential Source Code from U.S. chipmaker Qualcomm who supplies chipsets for Samsung smartphones sold in the U.S.
• Bootloaders for all recent Samsung devices

The hackers split the leaked data into compressed files which have so far been shared with more than 400 peers.

Source: https://www.bleepingcomputer.com/news/security/hackers-leak-190gb-of-alleged-samsung-data-source-code/

The three files contain the following information:

• File 1: A dump of source code and related data about Security/Defense/Knox/Bootloader/TrustedApps and various other items
• File 2: A dump of source code and related data about device security and encryption
• File 3: Various repositories from Samsung Github: mobile defense engineering, Samsung account backend, Samsung pass backend/frontend, and SES (Bixby, Smartthings, store)

The Hackers Responsible

In Samsung’s statement, they did not name any specific hackers responsible for the breach. However, the hacking group Lapsus$, formed in December 2021, claimed responsibility over the weekend via their Telegram channel. They confirmed that 190 gigabytes of confidential Samsung source code were compromised.

Lapsus$ originally posted a snapshot of C/C++ directives in Samsung software.

Source: https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/

Shortly afterwards, the hackers released a description of the data gathered from “confidential Samsung source code.”

Lapsus$ previously hacked 1TB of proprietary data from U.S. chip giant Nvidia in February 2022. In that breach, the hackers published thousands of employee credentials, schematics, driver source code, and information about the latest graphics chips. This included over 70,000 employee email addresses and NTLM password hashes.

The two exposed code-signing certificates have been used to sign malicious Windows drivers and other tools used by remote hacking crews like Cobalt Strike beacons and Mimikatz.

In the Nvidia attack, a ransom was demanded by Lapsus$ asking the firm to:

• Disable the controversial Lite Hash Rate (LHR) feature and Ethereum cryptocurrency mining cap from all NVIDIA 20-series GPUs
• Open-source its graphics chip (GPU) drivers forever for macOS, Windows, and Linux

As of right now, there is no known ransom in the Samsung attack.

What is source code? Why is it important?

Source code contains sensitive data which helps hackers find security vulnerabilities and other types of active threats within the application to exploit devices more easily. It can contain both passive threats which can be used to target weak areas, and active threats which include secrets within codebase like API keys, security certificates, database credentials, and anything else that can provide access to systems.

All source code is unique, and it is often the most valuable resource a company holds. Regardless of vertical, all software companies house their core intellectual property and sensitive client data within their source code.

Any secrets used programmatically commonly end up within source code.

It is also very common for PII to exist in the source code due to a database dump or debug logs added to the repository. Once the information is in the same location as the source code, it is cloned and copied within it.

However, source code is a very leaky asset. It can be:

• Located in a company’s version-control systems
• Cloned onto developers’ personal and professional devices
• Implemented into new projects and internal wikis
• Backed up on cloud drives
• Shared through messaging systems (ex. Slack)
• Posted into public developer forums (ex. Stack Overflow)

Hackers gaining access to your source code poses a threat to your users and IP, and also has a huge impact on compliance. Protecting source code is therefore of the utmost importance.

Why is source code so hard to protect?

Companies are well aware of the value and importance of source code in building applications.

However, many organizations neglect the necessary data security measures to protect source code. Just because source code is private does not mean it is protected.

Source code breaches have been on the rise lately. Examples include:

• The Indian Government: In early 2022, the Indian government suffered a white hat attack including mySQL dumps and sensitive police reports in repositories’ history.
• Mercedes Benz: Source code leaked. Vulnerabilities exposed.
• Nintendo: Source code leaked for games including Super Mario Kart and an unreleased Zelda Game.
• Microsoft: Source code leaked. Vulnerabilities exposed.
• SolarWinds: Hackers inserted malicious code into the company’s Orion software and distributed it to SolarWinds customers via an update or patch.
• CD Projekt Red: Source code was stolen for for Cyberpunk 2077 and The Witcher 3.

Another notable example is the data breach of EA (Electronic Arts) in early 2022. Hackers purchased stolen authentication cookies for an EA internal Slack channel from a dark web marketplace, and then used the cookies to imitate an EA worker and access the company’s Slack channel. The hackers tricked an IT support worker into granting them access to the company’s internal code repositories.

All in all, the hackers were able to steal 780GB of source code from games like FIFA 21, as well as the Frostbite game engine used for games like Battlefield. The data was ultimately put up for sale in an underground hacking forum for $28 million.

Companies are failing to protect their source code because it is challenging and time consuming to secure.

Source: https://cycode.com/blog/why-is-source-code-so-hard-to-protect/

Here are some reasons why source code is so challenging to protect:

Source Code is Often Sprawled

Whenever code is sprawled, companies often have zero visibility as to where it is located, no means to audit who has accessed or cloned the code, and no way of knowing whether or not it’s secure. Without that information, it’s impossible to prevent source code from leaking.

Software Development Tools

In general, software development for large companies involves many sites, teams, and tools. Developers often use Integrated Development Environments (IDEs) like NetBeans to help them write code in the proper design and format. Other tools like GitHub focus on collaboration. They allow developer teams to manage projects and re-use useful code segments.

Editing Code In Personal Devices

Source code is also often edited at a user’s endpoint machine. With work-from-home becoming more popular and often mandatory, endpoint machines may be personal devices which aren’t secured like workstations. Housing code on tools or within a non-secure device expands the “surface area” companies need to protect from multiple vectors such as phishing and social engineering, compromised user accounts, or drive-by website downloads.

Source Code is Often Not Deleted

Code is never truly deleted from many version-control systems and is instead hidden under old commits. Leftover permissions are also not updated often enough.

R&D Agile Methodologies

Many organizations use source control management systems (SCMs) to improve collaboration, productivity, and delivery, but do not use such systems to secure source code. SCMs are traditionally run by R&D teams which work using agile methodologies to deploy continuously and quickly. Security often becomes an afterthought, by which time it is too late to implement safeguards. Access controls are therefore typically not properly set up, and everyone has access to everything.

How can you protect your source code?

As a baseline, it’s important to start by ensuring your company is following baseline IT security principles including:

• Not allowing developers and contractors working remotely to access IPs on any open, unsecured wifi.
• Revoking access to proprietary data after termination of relationship with any employee or contractor.
• Not granting unnecessary access to source code.

In addition to these basics, companies should consider implementing:

1. Data Loss Prevention (DLP) solutions
2. Manual access review
3. Internal scripts or other open source projects to detect code leaks, secrets, and misconfigurations

No matter what unique safeguards your company decides to implement to protect source code, there are some features all plans should have. This includes:

• Immediate visibility to entire source code asset inventory
• Code leak detection across public domain
• Ability to detect secrets embedded or hidden in code
• Reducing insider threat risk by automatically flagging and revoking unneeded or expired access permissions
• Real-time risk detection for any faulty security configurations

Conclusion

There is no one-size-fits-all solution for securing source code. Companies, their IPs, and the threats they face can all differ, meaning your business’s source code protection plan should be tailored to you.

That’s why it’s so important for team members to educate themselves on prevention best practices and develop a custom solution for your company. If developers are not well-versed in the most up-to-date techniques and potential hazards, your company could be one of the countless that will be compromised this year alone, losing profits, consumer trust, and potentially facing lawsuits.