Code-Signing Certificates Pinched in Nvidia Attack Used for Malware
Certificates belonging to Nvidia that were pilfered as part of the cyberattack on the chipmaker in late February 2022 are currently being used to sign malicious code, in an attempt to shove malware past automated defenses.
The malicious packages signed with the Nvidia certificates are being used to target Windows-based systems. Nvidia was targeted by the Lapsus$ ransomware gang in late February and the certificates in question were exfiltrated as part of the attack. The summary volume of the Lapsus$ attack amounted to around 1TB of data being siphoned from the chipmaker's servers.
Expired certificates still accepted by OS
In addition to the stolen certificates, Lapsus$ also managed to steal schematics, drivers and email and password hashed data belonging to over 70 thousand Nvidia employees.
Security researchers took to Twitter a few days after the initial attack, reporting that the same certificates were being used to sign binaries that contain malware. The payloads using the stolen certificates were later identified as instances of Mimikatz, Cobalt Strike, and backdoor and remote access malicious tools.
Even though the stolen Nvidia certificates are expired, researchers discovered they were still usable for signing software such as drivers that would deploy fine on Windows machines.
Will Dormann, a vulnerability analyst at CERT, and Kevin Beaumont shared the serial numbers for the misused Nvidia certificates, which are as follows:
43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518
Microsoft offers mitigation techniques
Microsoft's director of enterprise and OS security tweeted out a way to limit what Nvidia drivers are allowed to load on the system, but doing this requires tweaking settings in the Windows Defender application control policies, which is not exactly an easy thing to figure out for regular users at home, but should still be of assistance to businesses and larger networks who have dedicated IT security staff.
As part of its attack on Nvidia, the Lapsus$ ransomware gang put up a demand that the chipmaker makes all its drivers open-source, something which is obviously never going to happen. The hackers threatened to release the source themselves, but this is still just a threat at this point.