Researchers Discover Leaked Nvidia Code-Signing Certificates Used to Spread Malware
Last week, security researchers revealed that a hacking group had been involved in using leaked Nvidia code-signing certificates for malware purposes. As reported by Bleeping Computer, two expired certificates are currently being used by threat actors to gain remote access and install malicious drivers on targeted Windows machines.
For those unfamiliar, Windows requires that all kernel-mode drivers be code signed, and the OS provides a warning if the user attempts to install an application that is not signed by a trusted CA. However, some Windows devices may not be able to detect malware if the threat actor signs it off with a genuine Nvidia code.
Computer security expert Bill Demirkapi revealed on Twitter that the hackers are using the two compromised Nvidia code-signing certificates are to sign their drivers and executable files.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
The security researchers also spotted some malware samples signed with the expired Nvidia certificates on VirusTotal, a popular malware scanning service. The list of the hacking tools and malware includes Cobalt Strike Beacon, remote access trojans, backdoors, as well as Mimikatz.
What is a code-signing certificate?
A code-signing certificate is a method developers use to sign a program, software update, or executable file before releasing them to the general public. In addition to all the information contained in the certificate (like the publisher’s name, location, etc.), the signature includes a timestamp that clearly indicates when the software was signed with the certificate. It helps users ensure that any unauthorized third party has not tempered the software and that it’s safe to download on their PC.
The Redmond giant is recommending IT Admins to review and configure Windows Defender Application Control (WDAC) policies to detect and block the installation of packages with expired code-signing certificates.
“WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need,” explained David Weston, director of enterprise and OS security at Microsoft.
Microsoft also advises end-users to download drivers or updates from the official Nvidia website. Meanwhile, we hope that the company will soon revoke the stolen code-signing certificates to prevent the distribution of malicious drivers.
More in Security
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Mandiant Warns Hackers Now Use New Trick to Bypass MFA
Aug 22, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Network and Web Protection on macOS and Linux
Aug 22, 2022 | Rabia Noureen
Most popular on petri