Samsung and Nvidia are the latest companies to involuntarily go open-source leaking company secrets
Nearly 200GB of source code from Samsung and the source code from Nvidia's latest DLSS technology has been published online by The Lapsus$ hacking group.
Internal source code being leaked online by adversaries is happening with alarming regularity in recent years. Only a few months have gone by since Twitch’s source code was leaked online which not only leaked income from the top streamers but as GitGuardian showed, also contain over 6,000 secret keys that attackers potentially could have used in further attacks.
GitGuardian scanned the leaked Samsung source code for sensitive information such as secrets and found that in the Samsung source code there were 6,695 secrets. This was during a scan that used over 350 individual detectors each looking for the specific characteristics of that specific type of secret which gives us reliably high accuracy results. In this case, we excluded results from generic high entropy detectors and generic password detectors as these can typically include false positives and therefore give inflated results. With that in mind, the true number of secrets could be much higher.
Token Name | # Found | Token Name | # Found | ||
private key rsa | 2408 | artifactory token | 26 | ||
private key elliptic | 1062 | sonarqube token | 14 | ||
private key encrypted | 744 | company email password | 12 | ||
private key generic | 532 | line messaging oauth2 | 10 | ||
base64 basic auth | 495 | slack webhook url | 9 | ||
bearer token | 378 | salesforce oauth2 | 8 | ||
username password | 231 | googleaiza | 6 | ||
base64 private key generic | 174 | github oauth app keys | 3 | ||
google oauth2 | 115 | ldap credentials assignment | 2 | ||
googlecloud | 81 | kubernetes jwt | 2 | ||
aws iam | 80 | splunk token | 2 | ||
generic database assignment | 76 | mysql assignment attached port | 1 | ||
github enterprise token | 62 | dropbox app credentials | 1 | ||
google recaptcha | 57 | ibm platform api key | 1 | ||
secret key in django config | 53 | mariadb assignment attached port | 1 | ||
authentication tuple | 52 | postgres assignment attached port | 1 | ||
basic auth string | 35 | wechat keys | 1 | ||
private key dsa | 32 | username and password in ftp | 1 | ||
fcm api key | 27 | Grand Total | 6695 |
Disclaimers. Usually, GitGuardian would validate keys found in a repository to remove false positives. Because of the ongoing investigations that will undoubtedly be going on, GitGuardian decided not to validate any keys as not to mislead the forensics teams. This means we cannot give a percentage of the keys which were valid at the time of the leak.
As you can see from the snapshot of the results, the 8 top results account for 90% of the findings and whilst these are still very sensitive, can be more challenging for an attacker to use as likely refer to internal systems. That leaves just over 600 authentication tokens which grant access to a huge range of different services and systems that an attacker could potentially use to move laterally into more systems.
“Of the more than 6,600 keys found in Samsung source code roughly 90% are for Samsung's internal services and infrastructure, whilst the other 10%, critically, could grant access to Samsung's external services or tools such as AWS, GitHub, artifactory and Google” Mackenzie Jackson Developer Advocate GitGuardian
This is very much in line with what you would expect from a company of this size and actually is better than the average amount of secrets we generally find when a comparable organization does an initial scan. A recent report from GitGuardian showed in an organization with an average of 400 developers over 1,000 secrets are found within internal source code repositories (Source State of Secrets Sprawl 2022). If such secrets are leaked it could affect Samsung's ability to securely update phones, grant adversaries access to sensitive customer information or allow them to access Samsung's internal infrastructure with the potential of launching further attacks.
“These attacks are publicizing a problem many in the security industry have been sounding the alarm for, internal source code contains an increased amount of sensitive data yet remains a very leaky asset. Source code is widely accessible by developers throughout the company, backup onto different servers, stored on developers' local machines and even shared through internal documentation or messaging services. This makes it a very attractive target for adversaries which is why we are seeing a persistence in the frequency of these attacks are occurring”. - Mackenzie Jackson Developer Advocate
On the Lapsus$ telegram channel, we can get a hint at how the hacking group is actually gaining access to these repositories sending out what is essentially a call to action from employees of large organizations to grant them access.
Unfortunately, I do not believe we are at the end of seeing attacks like this, the group now sharing polls, again through their telegram channel asking followers what source code should they leak next indicating many more leaks of internal source code are likely to come in the future.
Read more on why source code in internal repositories is such a problem in GitGuardian’s State of Secrets Sprawl Report