Leaked stolen Nvidia certificate can sign malicious Windows code • The Register

An Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant’s internal systems.

At least two binaries not developed by Nvidia, but signed this week with its stolen certificate, making them appear as Nvidia programs, have appeared in the VirusTotal malware sample database.

This leak means that system administrators should take steps, or review their security policies and defenses, to ensure that code recently signed by the unauthorized certificate is detected and blocked because it will most likely be malicious. This can be done through Windows configuration, network filtering rules, or whatever you use to control your organization.

IT Security Officer Bill Demirkapi – whom we’ve featured on these pages before – tweeted a warning about the certificate that could potentially be used to sign Windows kernel-level driver files:

In later tweets, he added that Windows would accept drivers signed with certificates issued before July 29, 2015 without a timestamp. Microsoft’s Windows Driver Signing Policy corroborates this, stating that the operating system will run drivers “signed with an end-entity certificate issued before July 29, 2015 that chains to a cross-signed CA taken in charge”.

The leaked Nvidia certificate is such a creature, having expired in 2014. The code signed with this certificate will be, in the right conditions, be accepted by Windows even if the certificate has expired. Another Nvidia certificate was leaked although it expired after the deadline.

We asked Microsoft what steps Microsoft would be willing to take to ensure that Windows blocks all code signed by the 2014 certificate since it was leaked. A spokesperson told us, “We are reviewing these new complaints and will do what is necessary to protect our customers.”

Infosec Director Kevin Beaumont has noticed that some people are signing their own driver code with Nvidia’s 2014 private certificate and uploading it to VirusTotal to check if virus scanners accept it. He posted on Twitter:

The decision to allow these drivers was a backward compatibility effort (according to a 2015 MSDN article, introducing Windows 10 build 1607) to prevent a new Windows 10 feature from causing issues with previously unsigned drivers.

We note that a good number of antivirus scanners, tested by VirusTotal on downloaded samples, now apparently capture code signed by the rogue Nvidia certificate, so your antivirus engine may automatically block it.

The crooks who compromised Nvidia’s internal systems to steal and leak the certificate — among many other files, including credentials, secret source code, and documentation — are called Lapsus$ and are apparently trying to blackmail Nvidia to remove the cryptomining limit from its GPU firmware. Last year, for its RTX 30-series graphics cards, Nvidia introduced a technology in its drivers called Lite Hash Rate, or LHR for short.

LHR cripples cryptocurrency mining. By nerfing the cards’ cryptomining performance, Nvidia hoped to make its GPUs less appealing to miners, leaving more hardware available to gamers, in theory, and those who actually want graphics performance over pure hash rates. .

Lapsus$, according to the band’s Telegram page, is threatening Nvidia to release more internal documents and chip design details unless the company promises to scrap LHR. It seems totally unlikely that Nvidia would give in to such blackmail. The gang also wants Nvidia to open up its drivers for Mac, Linux, and Windows PCs.

According to Have I Been Pwned, the leaked data contains “more than 70,000 employee email addresses and NTLM password hashes, many of which were later hacked and distributed among the hacker community.”

In a statement, Nvidia previously said, “We are aware that the threat actor has taken employee passwords and certain proprietary Nvidia information from our systems and has begun leaking them online. Our team is working to analysis of this information. He maintains an incident response page here. ®

Comments are closed.