Threat actors are signing malware with stolen NVIDIA code signing certificates to make it look trustworthy and allow malicious drivers to be installed into Windows. NVIDIA stated this week that they had been the victim of a hack in which threat actors stole employee credentials and sensitive data. The extortion gang Lapsus$ claims to have stolen 1TB of data during the hack and begun exposing it online when NVIDIA refused to bargain.
The breach includes two stolen code-signing certificates used by NVIDIA engineers to sign their drivers and executables. A code-signing certificate lets developers digitally sign executables and drivers, allowing Windows and end-users to verify the file’s owner and whether it has been tampered with. Microsoft also requires kernel-mode drivers to be code signed before the operating system would load them to improve security.
Security experts rapidly discovered that the certificates were being used to sign malware and other tools used by threat actors after Lapsus$ exposed NVIDIA’s code-signing certificates. According to samples provided to the VirusTotal malware scanning service, the stolen certificates were used to sign numerous malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans. For example, one threat actor used the certificate for signing the Quasar remote access trojan [VirusTotal], while another used it to sign a Windows driver [VirusTotal].
According to security experts Kevin Beaumont and Will Dormann, the following serial numbers are used by the stolen certificates:
- 43BB437D609866286DD839E1D00309F5
- 14781bc862e8dc503a559346f5dcc518
Some of the files were most likely posted to VirusTotal by security researchers, but others appear to have been exploited in malware campaigns by threat actors [1, 2]. Even though both stolen NVIDIA certificates are expired, Windows will still enable a driver certified with the certificates to be installed. Threat actors benefit from making their applications seem like official NVIDIA programs and allowing malicious drivers to be installed by Windows by exploiting these stolen certificates.
According to David Weston, director of Enterprise and OS Security at Microsoft, administrators may create Windows Defender Application Govern policies to control which NVIDIA drivers can be loaded to prevent known susceptible drivers from being loaded in Windows. On the other hand, using WDAC is not simple, especially for non-IT Windows users.
The stolen certificates are hoped to be included on Microsoft’s certificate revocation list in the future to prevent malicious drivers from loading in Windows due to the potential for misuse. However, doing so would result in the blocking of legal NVIDIA drivers as well, so this is unlikely to happen very soon.
