February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Dridex Banking Trojan – Active IOCs
March 10, 2022Rewterz Threat Alert – APT Group GhostWriter/UNC1151 Targeting Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare
March 10, 2022Rewterz Threat Alert – Dridex Banking Trojan – Active IOCs
March 10, 2022Rewterz Threat Alert – APT Group GhostWriter/UNC1151 Targeting Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare
March 10, 2022
Severity
High
Analysis Summary
Lapsus$ Ransomware is a new and emerging ransomware group that has successfully attacked major conglomerates and their latest victim is Samsung. Like most ransomware groups, Lapsus$ also infiltrates organizations with a phishing attack. From there on, they exploit vulnerabilities like privilege escalation to get hold of administrative rights and blatantly display their abilities.
Lapsus$ claims to have stolen data from Samsung. They announced their telegram channel and also shared screenshots of the data. Stolen data contains confidential Samsung source code, including:
- DEVICES/HARDWARE -Source code for every Trusted Applet (TA) installed on all Samsung device’s TrustZone (TEE) with specific code for every type of TEE OS (QSEE, TEEGris, etc). THIS INCLUDES DRM MODULES AND KEYMASTER/GATEKEEPER!
- Algorithms for all biometric unlock operations, including source code that communicates directly with sensor (down to the lowest level, we’re talking individual RX/TX bitstreams here).
- Bootloader source code for all recent Samsung devices, including Knox data and code for authentication.
- Various other data, confidential source code from Qualcomm.
Lapsus$ gang’s Telegram Channel
“There was a security breach relating to certain internal company data,” Samsung told Bloomberg. “According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”
Impact
- Financial Theft
- Data Breach
Affected Vendors
- Samsung
Indicators of Compromise
MD5
- bc37863a409ddffdf36937dd4e536aad
SHA-256
- 9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407c42ed4e09cf7
SHA-1
- b65f8a804d3e87e1ca21ca781f1a0585acab6959
Remediation
- Search for IOCs in your environment.
- Block all threat indicators at your respective controls