Leaked stolen Nvidia cert can sign Windows malware

An Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant’s internal systems.

At least two binaries not developed by Nvidia, but signed this week with its stolen cert, making them appear to be Nvidia programs, have appeared in malware sample database VirusTotal.

This leak means sysadmins should take steps, or review their security policies and defenses, to ensure code recently signed by the rogue cert is detected and blocked as it is most likely going to be malicious. This can be done through Windows configuration, network filtering rules, or whatever you use to police your organization.

Computer security bod Bill Demirkapi – who we’ve featured before on these pages – tweeted a warning about the certificate potentially being able to be used to sign Windows kernel-level driver files:

As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd

— Bill Demirkapi (@BillDemirkapi) March 3, 2022

In later tweets he added that Windows will accept drivers signed with certificates issued prior to July 29, 2015 without a timestamp. Microsoft’s Windows driver signing policy corroborates this, stating the operating system will run drivers “signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA”.

The leaked Nvidia certificate is just such a creature, having expired in 2014. Code signed with this cert will, in the right conditions, be accepted by Windows even though the certificate has expired. Another Nvidia cert was leaked though expired after the cut-off date.

We asked Microsoft what steps would it be willing to take to ensure Windows blocks all code signed by the 2014 cert since its leak. A spokesperson told us: “We are looking into these new claims and we will do what is necessary to keep our customers protected.”

Infosec bod Kevin Beaumont spotted some folks have been signing their own driver code with Nvidia’s private 2014 cert and uploading it to VirusTotal to check if antivirus scanners accepted it. He posted on Twitter:

VirusTotal search if you want ’em

ls:”2022-03-01T00:00:00+” signature:43BB437D609866286DD839E1D00309F5 p:1+ tag:signed

.sys (drivers) load fine in Windows 10/11 still, even when signed with expired cert.

Threat actors started on 1st March, a day after torrent posted. pic.twitter.com/S6pCfgV8hb

— Kevin Beaumont (@GossiTheDog) March 4, 2022

The move to allow such drivers was a backwards compatibility effort (per an MSDN post from 2015, introducing Windows 10 build 1607) to prevent a then-new Windows 10 feature from causing problems with previously unsigned drivers.

We note that a good number of antivirus scanners, tested by VirusTotal on uploaded samples, are now seemingly catching code signed by the rogue Nvidia certificate, so it may be that your AV engine will automatically block it.

The crooks who compromised Nvidia’s internal systems to steal and leak the certificate – among many other files, including credentials, secret source code, and documentation – call themselves Lapsus$, and are seemingly trying to blackmail Nvidia into removing cryptomining limit from its GPU firmware. Last year, for its RTX 30-series graphics cards, Nvidia introduced a technology into their drivers called Lite Hash Rate, or LHR for short.

LHR cripples cryptocurrency mining. By nerfing the cards’ cryptomining performance, Nvidia hoped to make its graphical processing units less attractive to miners, leaving more hardware available to gamers, in theory, and others who actually want graphics performance rather than pure hash rates.

Lapsus$, according to the group’s Telegram page, are threatening Nvidia with the public release of more internal materials and details of chip blueprints unless the company promises to remove LHR. It seems wholly implausible that Nvidia would give in to such blackmail. The gang also wants Nvidia to open-source its drivers for Macs, Linux, and Windows PCs.

According to Have I Been Pwned, within the leaked data are “over 70,000 employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.”

In a statement Nvidia previously said: “We are aware that the threat actor took employee passwords and some Nvidia proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information.” It is maintaining an incident response page here. ®

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Windows 11 - What has changed and how do I install it? thumbnail

Windows 11 – What has changed and how do I install it?

Windows 11 – šta je promenjeno i kako ga instalirati? Nova verzija je već stigla i mnogi su ostali zatečeni jer su tek nedavno smogli snage i prešli sa sedmice na Windows 10, a sad eto ga, Windows 11. Šta je to novo doneo i kako do instalacije novog Microsoft oS-a, saznajte u video prilogu…
Read More
Taobao AI model ‘Taobao Wenwen’ Is in Internal Testing thumbnail

Taobao AI model ‘Taobao Wenwen’ Is in Internal Testing

The Taobao AI large-scale model ‘Taobao Wenwen’ is currently undergoing internal testing. You can apply for the internal test by searching ‘Taobao Wenwen’ on Taobao, or participate in the testing through an invitation code. Taobao Wenwen is an innovative attempt by Taobao to iterate on the original search function and guide users in their e-commerce
Read More
Google starts selling refurbished Pixel phones thumbnail

Google starts selling refurbished Pixel phones

Google now offers refurbished Pixel phones, as originally spotted by The Verge. The company is selling refurbed Pixel 6, Pixel 6A and Pixel 7 handsets directly on the Google Store. The phones can be purchased for up to 40 percent off, when compared to new models. Each smartphone ships with the same 1-year limited warranty
Read More
Facebook Gaming announces co-streaming feature thumbnail

Facebook Gaming announces co-streaming feature

Facebook is now offering a co-streaming option through its Facebook Gaming service. Facebook Gaming creators can search and tag up to three other gaming creators with the feature. The co-streaming experience starts when other creators tag you back and you see a confirmation green check icon next to the player’s name. Twitch also offers a…
Read More
Diese Filmemacherin will Tampons aus Algen herstellen thumbnail

Diese Filmemacherin will Tampons aus Algen herstellen

Algen sind nicht nur super im Smoothie, sondern auch als Material für Periodenprodukte. Davon ist Ines Schiller überzeugt und hat das Tampon-Startup Vyld gegründet. Gründerin Ines Schiller und ein „Tangpon“: Farblich unterscheidet es sich nicht von herkömmlichen TamponsVyld; Collage: Gründerszene Am Anfang ihrer Idee, Tampons aus Algen zu produzieren, stand Ines Schillers Faszination für die…
Read More
Local Digital Capital Index: A framework for levelling up thumbnail

Local Digital Capital Index: A framework for levelling up

bluebay2014 - stock.adobe.com How can the tech sector ensure digital equality across the UK in support of the government's levelling-up agenda? TechUK is trying to set the benchmarks By Julian David, TechUK Published: 01 Oct 2021 The concept of “levelling up” has been at the top of the government’s agenda for years now, with the…
Read More
Index Of News
Total
0
Share