Researchers Discover Leaked Nvidia Code-Signing Certificates Used to Spread Malware
Last week, security researchers revealed that a hacking group had been involved in using leaked Nvidia code-signing certificates for malware purposes. As reported by Bleeping Computer, two expired certificates are currently being used by threat actors to gain remote access and install malicious drivers on targeted Windows machines.
For those unfamiliar, Windows requires that all kernel-mode drivers be code signed, and the OS provides a warning if the user attempts to install an application that is not signed by a trusted CA. However, some Windows devices may not be able to detect malware if the threat actor signs it off with a genuine Nvidia code.
Computer security expert Bill Demirkapi revealed on Twitter that the hackers are using the two compromised Nvidia code-signing certificates are to sign their drivers and executable files.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
The security researchers also spotted some malware samples signed with the expired Nvidia certificates on VirusTotal, a popular malware scanning service. The list of the hacking tools and malware includes Cobalt Strike Beacon, remote access trojans, backdoors, as well as Mimikatz.
What is a code-signing certificate?
A code-signing certificate is a method developers use to sign a program, software update, or executable file before releasing them to the general public. In addition to all the information contained in the certificate (like the publisher’s name, location, etc.), the signature includes a timestamp that clearly indicates when the software was signed with the certificate. It helps users ensure that any unauthorized third party has not tempered the software and that it’s safe to download on their PC.
The Redmond giant is recommending IT Admins to review and configure Windows Defender Application Control (WDAC) policies to detect and block the installation of packages with expired code-signing certificates.
“WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need,” explained David Weston, director of enterprise and OS security at Microsoft.
Microsoft also advises end-users to download drivers or updates from the official Nvidia website. Meanwhile, we hope that the company will soon revoke the stolen code-signing certificates to prevent the distribution of malicious drivers.
More in Security
Atlassian Releases Patches for Critical Authentication Vulnerability in Jira Software
Feb 6, 2023 | Rabia Noureen
What is Microsoft Sentinel and How Does It Protect Cloud and On-Premises Resources?
Feb 2, 2023 | Mustafa Toroman
Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data
Feb 1, 2023 | Rabia Noureen
Microsoft Defender for Endpoint Adds Device Isolation Support for Linux Machines
Jan 31, 2023 | Rabia Noureen
Git Releases New Security Updates to Block Remote Code Execution Attacks
Jan 18, 2023 | Rabia Noureen
PyTorch Discloses Internal Dependency Compromised with Malicious Code
Jan 4, 2023 | Rabia Noureen
Most popular on petri