NVIDIA Code Signing Certificates Leveraged to Sign Malware
NVIDIA Data Breach Does Not Stop Here, as Hackers Futher Develop Their Malicious Operations.
Hackers are currently engaging in a malicious operation with stolen NVIDIA code signing certificates they leverage to sign malware to make it look trustworthy. This allows them to load compromised drives in Windows systems.
NVIDIA has recently confirmed that it has been the target of a hack that resulted in the theft of employees’ credentials. This statement was later supported also by Have I Been Pwned which added to its database 70k compromised credentials in the NDIVIA’s data breach.
As claimed by the hacking group itself, the cyberattack was attributed to Lapsus$, a threat actor who said to have stolen 1TB of information during the data breach and started to perform a data leaking operation following the company’s refusal to negotiate with the malicious actor.
As Bill Demirkapi stated in a tweet, the NVIDIA leak consisted also of two stolen code-signing certificates usually employed by the developers at NVIDIA for drivers and executable signing purposes.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
What is a code signing certificate? A code signing certificate is a digital certificate that is used to sign executable files. It is usually used in software development and it provides a level of assurance for the end-user. As per Microsoft’s rules, kernel-mode drivers should be signed prior to the operating system loading them for enhanced security.
Security experts rapidly discovered that the certificates were being employed by hackers to sign malware and other tools used by them after Lapsus$ exposed code-signing certificates of NVIDIA.
Virus Total’s samples indicate that the stolen certificates had been made use of to sign different kinds of malware and hacking tools purposes such as Mimikatz, Cobalt Strike beacons, remote access trojans, or backdoors. For instance, the certificates served as means to sign Quasar remote access trojan, and even a Windows driver was signed with such a certificate.
It is known that both stolen NVIDIA certificates under discussion are expired. However, as the same publication further states, Windows will still permit that a driver signed with these certificates to be installed. Exploiting these stolen certificates, hackers manage to make their programs pose as official NVIDIA ones to their benefit. This thing results in uploading malicious drivers by Windows.
In regards to these issues, David Weston, who is director of enterprise and OS security at Microsoft, has come up with a solution on Twitter saying that admins can perform some configurations to Windows Defender Application Control policies to have control over which drivers are loaded. WDAC could serve as a method to prevent loading vulnerable drivers into Windows.
WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022