Several potentially dangerous malware strains have managed to bypass antivirus software by hijacking stolen Nvidia signing certificates.
The Lapsus€ gang of cybercriminals recently announced that they stole a terabyte of data from the chip giant and, after failing to reach an agreement with the company on a ransom payment, decided to post the stolen information online.
As researchers began sifting through the trove of sensitive information, they discovered two code signing certificates that Nvidia developers use to sign their drivers and executables. These security measures help Windows endpoints verify who created a specific application or program, as well as verify that nothing has been tampered with.
Malware disguised as legitimate software
By cross-checking the stolen certificates with their database, researchers quickly discovered that they were being used to sign malware and other malicious tools.
As reported by malware scanning service VirusTotal, the certificates were used to sign Cobalt Strike beacons, Mimikatz, as well as various backdoors, remote access Trojans, and other malware.
According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates can be found with these serial numbers:
Both certificates would have already expired, but that will not prevent Windows from allowing a driver signed with them to be loaded into the operating system.
There are ways to configure Windows Defender application control policies to remove compromised Nvidia drivers, but as BleepingComputer says, "it's not an easy task, especially for non-IT Windows users," who have to wait. certificate. revocation list.
Lapsus€ is making a name for itself pretty quickly. After targeting Impresa, Portugal's largest media conglomerate, late last year, taking down several websites, TV channels, AWS infrastructure, and Twitter accounts, it also attacked the websites of the Brazilian Ministry of Health ( MoH), suspending vaccination efforts against Covid-19. throughout the campaign. He claimed to have stolen 50TB of data, before deleting it from the servers of the Ministry of Health.
In the Nvidia attack, the group claims to have taken the login credentials and other sensitive data of tens of thousands of Nvidia employees. He also says that the data helped him create a tool to remove the hash rate limiter for the RTX 3000 GPU, which can be used to mine Ether at only 50% capacity.
It also released 190GB of sensitive data stolen from Samsung which, if found to be genuine, could be one of the most damaging data breaches to occur this year.