Threat groups using stolen Nvidia certificates to sign malware

The hacking gang Lapsus$ compromised Nvidia last week and is leaking information as the fallout for declined negotiations

Threat actors have begun to use stolen Nvidia code-signing certificates to sign malware, making it appear trustworthy to Windows in some circumstances.

Last week, researchers discovered at least two new binaries in the malware sample database VirusTotal, which were not generated by Nvidia but were signed using the company's stolen certificate.

The extortion gang Lapsus$ recently claimed to have broken into a system controlled by Nvidia and to have stolen 1TB of data.

Nvidia acknowledged that hackers had stolen employee passwords and company-sensitive information, although did not specify how large the data breach was or how many employees were affected.

After Nvidia declined to negotiate, Lapsus$ started leaking the information on the internet. Among the files compromised were two old code-signing certificates.

While these certificates have expired, Windows continues to enable them to be used for driver signing reasons.

Microsoft's Windows driver signing policy states that the OS will run drivers 'signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA'. The certificate used for the above signing expired in 2014.

A code-signing certificate allows developers to digitally sign drivers and executables, enabling Windows and end-users to verify the file's owner and whether it has been tampered with by a third party.

When executing an unsigned application on Windows, a visible security warning appears instead of the normal operation.

Notably, Windows - by default - prevents the installation of drivers that have not been digitally signed with a recognised certificate authority.

Unlike normal user-mode applications, drivers operate with kernel privileges, making the use of digital signatures in driver distribution a critical security feature. Kernel privileges give drivers access to the most privileged sections of the operating system, enabling them to deactivate security products.

Cyber security expert Bill Demirkapi posted a warning about the issue on Twitter:

Kevin Beaumont, another well-known cyber security expert, said he discovered that some people were signing their own driver code using Nvidia's private 2014 certificate and sending it to VirusTotal to see whether antivirus scanners recognised it.

Researcher Florian Roth also discovered two hacking tool samples signed using one of the certificates.

Mehmet Ergen has identified even more malicious files, including the Discord Remote Access Trojan (RAT), signed with the stolen certificates.

David Weston, director of enterprise and operating system security at Microsoft , said that administrators can configure Windows Defender Application Control policies rules to control which Nvidia drivers are allowed, to prevent known vulnerable drivers from being loaded in Windows.