Lapsus$ data extracting group is stealing huge companies’ secrets one by one. At the end of February, the gang has managed to steal corporate data from Nvidia and leaked it. The next victim was South Korean tech giant Samsung; leaked their corporate data as well. Now those leaks are causing security threats for ordinary people.
Malware signed by Nvidia
Among the several corporal secrets in the leaks such as firmware, LHR limiting software, and more, there were also two code-signing certificates of Nvidia which are used for drivers and executables. Those digital certificates are used for verifying the codes are owned by Nvidia and they are not changed (e.g. injecting malicious code into drivers) by third parties.
According to security researchers, those certificates are already being used on malware and some hacking tools in the wild. Those include Cobalt Strike beacons, Mimikatz, remote access trojans, and backdoors. Stolen certificates utilize the serial numbers you can see below:
- 43BB437D609866286DD839E1D00309F5
- 14781bc862e8dc503a559346f5dcc518
That escalated quickly #Lapsus
#Nvidia #LeakedCertificateMimikatzhttps://t.co/TrY6vL2mEE
KDUhttps://t.co/RDf6bnuArk pic.twitter.com/Jl4tpS5KEr
— Florian Roth ⚡️ (@cyb3rops) March 3, 2022
Those stolen certificates are now expired. However, Windows operating system and Defender will not interfere with drivers signed with those certificates from being loaded. The executables and the drivers that are signed by Nvidia look legitimate from the operating system/security perspective.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
According to David Weston, vice president of OS security and enterprise at Microsoft, creating WDAC (Windows Defender Application Control) policies might temporarily mitigate the security risks. With WDAC policies, users can control which Nvidia signed drivers will be loaded to the operating system. However, it is a complicated process for most people.
WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
Microsoft’s action with blocking the stolen certificates is expected soon. But this might also break the drivers and Nvidia software that are already installed in the systems. Nvidia should publish new drivers and software with new certificates, then people should install them to their systems. After enough adoption of new drivers and software, Microsoft can revoke the stolen certificates.