Researchers Discover Leaked Nvidia Code-Signing Certificates Used to Spread Malware
Last week, security researchers revealed that a hacking group had been involved in using leaked Nvidia code-signing certificates for malware purposes. As reported by Bleeping Computer, two expired certificates are currently being used by threat actors to gain remote access and install malicious drivers on targeted Windows machines.
For those unfamiliar, Windows requires that all kernel-mode drivers be code signed, and the OS provides a warning if the user attempts to install an application that is not signed by a trusted CA. However, some Windows devices may not be able to detect malware if the threat actor signs it off with a genuine Nvidia code.
Computer security expert Bill Demirkapi revealed on Twitter that the hackers are using the two compromised Nvidia code-signing certificates are to sign their drivers and executable files.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
The security researchers also spotted some malware samples signed with the expired Nvidia certificates on VirusTotal, a popular malware scanning service. The list of the hacking tools and malware includes Cobalt Strike Beacon, remote access trojans, backdoors, as well as Mimikatz.
What is a code-signing certificate?
A code-signing certificate is a method developers use to sign a program, software update, or executable file before releasing them to the general public. In addition to all the information contained in the certificate (like the publisher’s name, location, etc.), the signature includes a timestamp that clearly indicates when the software was signed with the certificate. It helps users ensure that any unauthorized third party has not tempered the software and that it’s safe to download on their PC.
The Redmond giant is recommending IT Admins to review and configure Windows Defender Application Control (WDAC) policies to detect and block the installation of packages with expired code-signing certificates.
“WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need,” explained David Weston, director of enterprise and OS security at Microsoft.
Microsoft also advises end-users to download drivers or updates from the official Nvidia website. Meanwhile, we hope that the company will soon revoke the stolen code-signing certificates to prevent the distribution of malicious drivers.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri