Just over a year ago, graphics card giant Nvidia announced an unexpected software “feature” called anti-crypto code built into drivers for their latest graphics processing units (GPUs).
In a nutshell, if you consider that the driver software uses the GPU to perform the calculations associated with Ethereum cryptocurrency calculations, it cuts the speed of code execution in half.
This limit is not intended to protect users to limit hardware damage if, for example, the GPU is driven too hard and becomes dangerously overheated.
It’s all about managing supply and demand.
Unfortunately for avid gamers who love powerful GPUs, crypto mining syndicates prefer GPUs that are good because they improve the gaming experience with faster and more realistic graphics.
GPU speed up the computation (or hash rate(known in jargon) 5 to 10 times more than a regular CPU with the same amount of power.
Even more unfortunate for gamers who can buy one or two GPUs at a time, mining syndicates use their purchasing power to buy GPUs in bulk.
This, in turn, aims to sell “used” cards well above the new retail price when official supplies run out, so scalpers are also encouraging bulk buying.
Nvidia decided to appease many avid gaming fans, the company’s most loyal long-term GPU customers, given that they actually want graphics cards by splitting their processor card line in two.
Mining XOR game
Nvidia said last year:
We are announcing the NVIDIA CMP to address the specific needs of Ethereum mining. [Cryptocurrency Mining Processor] Product line for professional mining. CMP products that do not use graphics [… ]Optimized for best mining performance and efficiency. It doesn’t meet the required specs for GeForce GPUs, so it doesn’t affect gamers’ GeForce GPU availability.
The idea is that GeForce GPUs will run at full speed when used for graphics, but are deliberately Nvidia’s if used for Ethereum mining. light hash rate System or LHR for short.
At the time of the announcement, public opinion was sharply divided. You can tell by looking at the many comments on last year’s article.
Naked Security readers reacted in different ways.
Said a gamer named Trillian. “Great for Nvidia!”
Others argued that this LHR behavior was unfair because it used GPU cards to mix gaming and mining.
And a commenter named J Riley Castine was even more critical and wanted to know. “How could such a move […] Isn’t that a violation of antitrust laws?”
Exit the light and enter the night
Well, it looks like this year-long community divide for the LHR has bled into outright cybercrime.
Popular tech website Tom’s Hardware reports, among numerous other commentators: Cybercriminal organization Lapsus$ Claimed to have hacked Nvidia and stole terabytes of data…
… Issued only in amounts that correspond to unusual ransomware demand: Remove Lite Hash Rate limiter or else!
According to an IM screenshot posted by Tom’s Hardware, the suspected hackers wrote:
Hello,
We decided to help the mining and gaming community. We want nvidia to push an update to all 30 series firmware that removes all lhr restrictions. Otherwise the hw folder will leak.
If you remove the lhr you will forget the hw folder.
thank you.
that much hw folder (Ugh The 1TB of stolen data mentioned above (short for “computer hardware”) appears to include card schematics, driver and firmware code, internal documentation, and more.
Ironically in the same message thread, these hackers claim to sell their own “LHR unlockers” for some Nvidia cards, but if Nvidia removes the LHR limit for everyone, the underground market for such cracking tools will definitely evaporate.
Perhaps the existence of this dark web LHR unlocker should make Nvidia feel more pressured on the grounds that LHR bypass could be disclosed anyway, allowing the company to keep up with the blackmail demands?
What to do?
When these kinds of messages start to circulate, it’s hard to know what to believe.
Did hackers really break in in the first place? Did they really steal the information they claim? Was it a traditional ransomware attack that aimed to steal and scramble data for further exploitation? So, assuming the data scrambling part is thwarted, why should we believe the bragging rights of the message? Are there really any LHR unlockers that scammers can add to the drama?
We may never know the answers to these questions, but we can learn from arguments that reiterate the importance of defense-in-depth anyway.
Defense-in-depth not only includes multiple layers of proactive protection aimed at early threat detection and prevention, but ideally requires continuous threat assessment and response to understand what actually happened when anomalies are detected.
The self-proclaimed Nvidia hacker says:
We’ve been stuck on nvidia systems for about a week and quickly escalated to admins on many systems. We got 1TB of data.
Whether this is true or not, it describes the nature of many modern cyberattacks, rather than simply an automated “break-and-run” approach.
Modern cyber intrusions typically involve long-term, human-led network traversal, privilege escalation, and data exfiltration.
An attacker with administrative privileges could introduce a backdoor along the way or add an additional network account for themselves, allowing them to come back quietly and easily next time…
…unless they go through the trouble of finding and destroying the booby traps they left behind.
Learn more about Sophos Managed Threat Response here.
Sophos MTR – expert-led response ▶
24/7 threat hunting, detection and response ▶
.