Leaked Nvidia certificates used to sign malware bypassing Windows detection
Windows admins are advised to implement custom policies to avoid seemingly legitimate malware making its way into corporate environments
Security researchers have discovered malware being signed with Nvidia code signing certificates days after the LAPSUS$ group leaked a trove of the company’s stolen files.
Part of the stolen files included two code signing certificates and although they’re now expired, signing malware with them will still influence Windows into loading the malware onto systems.
Windows typically rejects drivers or executables signed using expired certificates. If the certificate was issued after 29 July 2015 then it would require a timestamp - a method of using trusted certificates after expiration - but certificates issued before that date, as in the case of these two Nvidia certificates, Windows will accept them without timestamps, expired or not, said Bill Demirkapi, offensive security at Zoom.
Such certificates are used so Windows users can verify the authenticity of any given driver or application. Signing malware with a legitimate, although expired certificate means Windows will be convinced the application is genuine and has not been modified by a third party.
The best defence against ransomware
How ransomware is evolving and how to defend against itFree download
"The recent Nvidia security breach involving certificate abuse is eerily like the one Opera suffered in 2013 and one that Adobe reported in 2012," said Pratik Selva, senior security engineer at Venafi. "If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.
"Although the certificates have expired, Windows will still allow a driver signed by a company to be installed so that it still constitutes a risk," said Alexis Vanden Eijnde, senior security consultant at Prism Infosec. "Microsoft should soon add the certificates to their revocation list and this will prevent the malicious drivers signed by stolen certificates from being loaded into Windows."
Windows admins are advised to create custom policies in Windows Defender Application Control to filter out the approvals for specific signed certificates.
The Lapsus hacking group said last week Nvidia had until Friday 4 March 2022 to completely open source its GPU drivers across all operating systems or the complete collection of stolen files would be leaked online.
The group has provided few updates since the deadline has passed apart from announcing its second major leak in as many weeks. LAPSUS$ said on Friday that it obtained an array of source code belonging to Samsung which could lead to access to the “lowest level” of devices such as its Galaxy series of smartphones.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download