NVIDIA Code Signing Certificates Leveraged to Sign Malware

Hackers are currently engaging in a malicious operation with stolen NVIDIA code signing certificates they leverage to sign malware to make it look trustworthy. This allows them to load compromised drives in Windows systems.

NVIDIA has recently confirmed that it has been the target of a hack that resulted in the theft of employees’ credentials. This statement was later supported also by Have I Been Pwned which added to its database 70k compromised credentials in the NDIVIA’s data breach.

As claimed by the hacking group itself, the cyberattack was attributed to Lapsus$, a threat actor who said to have stolen 1TB of information during the data breach and started to perform a data leaking operation following the company’s refusal to negotiate with the malicious actor.

As Bill Demirkapi stated in a tweet, the NVIDIA leak consisted also of two stolen code-signing certificates usually employed by the developers at NVIDIA for drivers and executable signing purposes.

As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd

— Bill Demirkapi (@BillDemirkapi) March 3, 2022

What is a code signing certificate? A code signing certificate is a digital certificate that is used to sign executable files. It is usually used in software development and it provides a level of assurance for the end-user. As per Microsoft’s rules, kernel-mode drivers should be signed prior to the operating system loading them for enhanced security.

Security experts rapidly discovered that the certificates were being employed by hackers to sign malware and other tools used by them after Lapsus$ exposed code-signing certificates of NVIDIA.

Virus Total’s samples indicate that the stolen certificates had been made use of to sign different kinds of malware and hacking tools purposes such as Mimikatz, Cobalt Strike beacons, remote access trojans, or backdoors. For instance, the certificates served as means to sign Quasar remote access trojan, and even a Windows driver was signed with such a certificate.

According to the BleepingComputer publication, the following serial numbers are used by the stolen certificates, as security researchers Kevin Beaumont and Will Dormann state:

43BB437D609866286DD839E1D00309F5

14781bc862e8dc503a559346f5dcc518

It is known that both stolen NVIDIA certificates under discussion are expired. However, as the same publication further states, Windows will still permit that a driver signed with these certificates to be installed. Exploiting these stolen certificates, hackers manage to make their programs pose as official NVIDIA ones to their benefit. This thing results in uploading malicious drivers by Windows.

In regards to these issues, David Weston, who is director of enterprise and OS security at Microsoft, has come up with a solution on Twitter saying that admins can perform some configurations to Windows Defender Application Control policies to have control over which drivers are loaded. WDAC could serve as a method to prevent loading vulnerable drivers into Windows.

WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need

— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Andra Andrioaie

Security Enthusiast

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!