IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Leaked Nvidia certificates used to sign malware bypassing Windows detection

Windows admins are advised to implement custom policies to avoid seemingly legitimate malware making its way into corporate environments

Security researchers have discovered malware being signed with Nvidia code signing certificates days after the LAPSUS$ group leaked a trove of the company’s stolen files.

Part of the stolen files included two code signing certificates and although they’re now expired, signing malware with them will still influence Windows into loading the malware onto systems.

Windows typically rejects drivers or executables signed using expired certificates. If the certificate was issued after 29 July 2015 then it would require a timestamp - a method of using trusted certificates after expiration - but certificates issued before that date, as in the case of these two Nvidia certificates, Windows will accept them without timestamps, expired or not, said Bill Demirkapi, offensive security at Zoom. 

Such certificates are used so Windows users can verify the authenticity of any given driver or application. Signing malware with a legitimate, although expired certificate means Windows will be convinced the application is genuine and has not been modified by a third party.

Among the types of malware already discovered to be signed with Nvidia’s code signing certificates are Mimikatz, Cobalt Strike beacons, and remote access trojans, according to VirusTotal searches.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

"The recent Nvidia security breach involving certificate abuse is eerily like the one Opera suffered in 2013 and one that Adobe reported in 2012," said Pratik Selva, senior security engineer at Venafi. "If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.

"Although the certificates have expired, Windows will still allow a driver signed by a company to be installed so that it still constitutes a risk," said Alexis Vanden Eijnde, senior security consultant at Prism Infosec. "Microsoft should soon add the certificates to their revocation list and this will prevent the malicious drivers signed by stolen certificates from being loaded into Windows."

Windows admins are advised to create custom policies in Windows Defender Application Control to filter out the approvals for specific signed certificates.

The Lapsus hacking group said last week Nvidia had until Friday 4 March 2022 to completely open source its GPU drivers across all operating systems or the complete collection of stolen files would be leaked online.

The group has provided few updates since the deadline has passed apart from announcing its second major leak in as many weeks. LAPSUS$ said on Friday that it obtained an array of source code belonging to Samsung which could lead to access to the “lowest level” of devices such as its Galaxy series of smartphones. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Actively exploited Windows vulnerability reaches peak severity when paired with popular attack
Security

Actively exploited Windows vulnerability reaches peak severity when paired with popular attack

11 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022