Stolen Nvidia code signing certificates used to sign off malware

Malware
(Image credit: solarseven / Shutterstock)

A number of potentially dangerous malware strains have successfully snuck past antivirus software, thanks to highjacking signing certificates stolen from Nvidia.

The Lapsus$ cybercrime gang recently announced it had stolen a terabyte of data from the chip giant, and after failing to come to an agreement with the company on a ransom payment, decided to push the stolen intel live.

As researchers started to scour through the treasure trove of sensitive information, they discovered two code-signing certificates that Nvidia developers use to sign their drivers and executables. These security measures help Windows endpoints verify who built any specific app or program, as well as verifying nothing has been tampered with.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Malware passing off as legit software

Cross-referencing the stolen certificates with their database, the researchers were quick to find them being used to sign malware and other malicious tools. 

As reported on the VirusTotal malware scanning service, the certificates were used to sign Cobalt Strike beacons, Mimikatz, as well as various backdoors, remote access trojans, and other malware.

According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates can be found under these serial numbers:

43BB437D609866286DD839E1D00309F5

14781bc862e8dc503a559346f5dcc518

Both certificates have reportedly already expired, but that won’t stop Windows allowing a driver signed with these, to be loaded in the OS.

There are ways to configure Windows Defender Application Control policies to eliminate compromised Nvidia drivers, but as BleepingComputer says, it’s “not an easy task, especially for non-IT Windows users”, who need to wait for the certificates to be added to Microsoft’s certificate revocation list.

Lapsus$ is making a name for itself, rather quickly. Having targeted Impresa, Portugal’s biggest media conglomerate, late last year, taking down multiple websites, TV channels, AWS infrastructure, and Twitter accounts, it also struck the websites of Brazil’s Ministry of Health (MoH), suspending Covid-19 vaccination efforts across the country. It claimed to have stolen 50TB worth of data, before deleting them from the MoH’s servers.

In the Nvidia attack, the group claims to have taken login information, and other sensitive data on tens of thousands of Nvidia employees. It also says the data helped it build a tool to eliminate the hash rate limiter for the RTX 3000 GPU, which can be used to mine Ether with just 50% of capacity.

It also released 190GB of sensitive data stolen from Samsung which, if proven authentic, could be one of the more damaging data leaks to occur this year.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
Garmin Instinct 3 next to the Apple Watch Ultra 2
New figures claim the smartwatch market just shrunk for the first time ever, and the Apple Watch Ultra 3 is to blame
Hitman: World of Assassination on PSVR 2.
Hitman: World of Assassination hits PSVR 2 soon, finally giving you a reason to dust off your headset
A stressed employee looking over some graphs
UK workers are spending more than one day per week tracking down information
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump