Malicious actors are using stolen NVIDIA code signing certificates to gain remote access to unsuspecting machines and deploy malicious software in windows.
Earlier this week, NVIDIA, an American multinational firm suffered a cyberattack that allowed hackers to steal credentials and proprietary data of 71,000 employees.
The hacking group, known as Lapsus$, claimed that they stole 1TB of data during the attack and began leaking sensitive information online after NVIDIA rejected their ransom demand.
The exposed data includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executable files before rolling them out to the public. It is a more secure way for Windows and prospective users to verify the ownership of the original file. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed otherwise the OS will refuse to open the file.
After Lapsus$ leaked NVIDIA's code-signing certificates, cybersecurity experts quickly discovered that the certificates were being used to sign malware and other tools used by threat actors.
Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:
43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518
Both codes are effectively expired Nvidia signatures, but the operating system will still let them pass just the same. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.
“Signing certificates are the keys computers use to verify trust in software,” Casey Bisson, head of product and developer relations at code-security product provider BluBracket, stated. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”
To avoid susceptible drivers from being installed in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to manage which specific Nvidia driver can be loaded onto the system.