After threat actors reportedly attacked the tech firm Nvidia and stole 1TB worth of sensitive propriety data, researchers discovered that some of the stolen code signing certificates of the company are exploited to sign malware as trustworthy, which allows infected drivers to be installed in Windows computers.
This recent attack incident is completed by the notorious ransomware group Lapsus$. The group has started leaking Nvidia’s data after the tech firm refused to negotiate and pay their ransom demands.
Two code signing certificates are included with the leak made by the Lapsus$ group, where Nvidia developers use in digitally signing drivers and executables. End-users and Windows can verify a file’s owner and its properties through these certificates, including whether it has been injected with malicious payloads or not.
Furthermore, Microsoft requires Windows to code sign kernel-mode drivers before loading them into the operating system.
Threat actors immediately exploited the leaked Nvidia code signing certificates to code sign malware, authorizing them to be loaded into computers.
A malware scanning service released samples of the code-signed malware by the threat actors using the Nvidia tool, including Mimikatz, Cobalt Strike beacons, remote access trojans (RAT), and backdoors. For instance, a threat actor leveraged the tool to code sign a Quasar RAT, while another group used it to sign a Windows driver.
Cybersecurity researchers also shared two serial numbers that are being utilised for the stolen certificates, which include 14781bc862e8dc503a559346f5dcc518 and 43BB437D609866286DD839E1D00309F5.
It was also found that both stolen NVIDIA certificates are expired versions. Nonetheless, the two are still allowed to code sign drivers loaded into devices or computers. Any hacker can exploit the stolen certificates in attacks by pretending to be authentic Nvidia programs and be allowed to load within Windows operating system.
On the other hand, users can protect themselves from the threats posed by vulnerable drivers loaded into an operating system such as Windows by configuring the Windows Defender Application Control policies. As shared by an expert from Microsoft, system administrators can maximize this option to control any drivers that Nvidia can load.
