Skip to content

Nvidia’s leaked signing certificates are enabling malware

  • by
  • 2 min read

After being breached by the Lapsus$ group and getting their employee credentials and confidential information leaked, Nvidia is now facing another issue as threat actors are using the stolen code signing certificates to sign malware, making them appear trustworthy and allowing the malicious drivers to get onto Windows machines. 

Security researchers discovered Nvidia’s signing certificates being used to sign malware and other tools used by attackers, including Cobalt Strike beacons, Mimikatz, backdoors and RATs (remote access trojans), according to samples uploaded to Virustotal’s malware scanning service.

Nvidia had suffered a data breach last Wednesday where hackers demanded that the company makes its drivers open-source; otherwise, they’ll start leaking data. After Nvidia refused to negotiate, the group began leaking data, including the two code-signing certificates. 

In the News: Rupee King rebrands to Wallet Pro in a bid to scam more people

Legit drivers more important than malicious ones?

While some of the files uploaded to VirusTotal likely came from security researchers, a fair number of files appear to be used by threat actors for campaigns. Both certificates are expired, but Windows will still allow a driver signed by said drivers to be loaded. 

This means that hackers can make their programs look like legitimate Nvidia programs allowing malicious software or drivers to be loaded and have access to Windows. According to security researchers  Kevin Beaumont and Will Dormann, the stolen certificates use the following serial numbers.

43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518

To prevent this from happening, David Weston, director of Enterprise and OS security at Microsoft, suggested in a tweet that admins configure Windows Defender Application Control policies to control which Nvidia drivers can be installed and loaded on the OS. 

However, configuring these policies isn’t easy, especially for people who want to use their computers and not dabble around with Windows policies and code-signing signatures. Microsoft might add these certificates to Windows’ certificate revocation list, considering the potential for abuse, but doing so will cause legitimate Nvidia drivers to stop working as well.

In the News: Google bans all ad sales in Russia

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>