After being breached by the Lapsus$ group and getting their employee credentials and confidential information leaked, Nvidia is now facing another issue as threat actors are using the stolen code signing certificates to sign malware, making them appear trustworthy and allowing the malicious drivers to get onto Windows machines.
Security researchers discovered Nvidia’s signing certificates being used to sign malware and other tools used by attackers, including Cobalt Strike beacons, Mimikatz, backdoors and RATs (remote access trojans), according to samples uploaded to Virustotal’s malware scanning service.
Nvidia had suffered a data breach last Wednesday where hackers demanded that the company makes its drivers open-source; otherwise, they’ll start leaking data. After Nvidia refused to negotiate, the group began leaking data, including the two code-signing certificates.
Legit drivers more important than malicious ones?
While some of the files uploaded to VirusTotal likely came from security researchers, a fair number of files appear to be used by threat actors for campaigns. Both certificates are expired, but Windows will still allow a driver signed by said drivers to be loaded.
This means that hackers can make their programs look like legitimate Nvidia programs allowing malicious software or drivers to be loaded and have access to Windows. According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates use the following serial numbers.
To prevent this from happening, David Weston, director of Enterprise and OS security at Microsoft, suggested in a tweet that admins configure Windows Defender Application Control policies to control which Nvidia drivers can be installed and loaded on the OS.
However, configuring these policies isn’t easy, especially for people who want to use their computers and not dabble around with Windows policies and code-signing signatures. Microsoft might add these certificates to Windows’ certificate revocation list, considering the potential for abuse, but doing so will cause legitimate Nvidia drivers to stop working as well.
In the News: Google bans all ad sales in Russia
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.