Researchers Discover Leaked Nvidia Code-Signing Certificates Used to Spread Malware
Last week, security researchers revealed that a hacking group had been involved in using leaked Nvidia code-signing certificates for malware purposes. As reported by Bleeping Computer, two expired certificates are currently being used by threat actors to gain remote access and install malicious drivers on targeted Windows machines.
For those unfamiliar, Windows requires that all kernel-mode drivers be code signed, and the OS provides a warning if the user attempts to install an application that is not signed by a trusted CA. However, some Windows devices may not be able to detect malware if the threat actor signs it off with a genuine Nvidia code.
Computer security expert Bill Demirkapi revealed on Twitter that the hackers are using the two compromised Nvidia code-signing certificates are to sign their drivers and executable files.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
The security researchers also spotted some malware samples signed with the expired Nvidia certificates on VirusTotal, a popular malware scanning service. The list of the hacking tools and malware includes Cobalt Strike Beacon, remote access trojans, backdoors, as well as Mimikatz.
What is a code-signing certificate?
A code-signing certificate is a method developers use to sign a program, software update, or executable file before releasing them to the general public. In addition to all the information contained in the certificate (like the publisher’s name, location, etc.), the signature includes a timestamp that clearly indicates when the software was signed with the certificate. It helps users ensure that any unauthorized third party has not tempered the software and that it’s safe to download on their PC.
The Redmond giant is recommending IT Admins to review and configure Windows Defender Application Control (WDAC) policies to detect and block the installation of packages with expired code-signing certificates.
“WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need,” explained David Weston, director of enterprise and OS security at Microsoft.
Microsoft also advises end-users to download drivers or updates from the official Nvidia website. Meanwhile, we hope that the company will soon revoke the stolen code-signing certificates to prevent the distribution of malicious drivers.
More in Security
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
QNAP Warns NAS Users About New DeadBolt Ransomware Campaign
Jun 20, 2022 | Rabia Noureen
Microsoft Defender for Individuals is Now Available on Desktop and Mobile
Jun 16, 2022 | Rabia Noureen
Most popular on petri