Cybercriminals were found using stolen NVIDIA code signing certificates to sign malicious programs. They do so to appear legitimate to security systems, which eventually allows the loading of malicious drivers in Windows.
How did it start?
Recently, NVIDIA confirmed suffering a cyberattack wherein attackers stole the company’s credentials and proprietary data. The extortion group Lapsus$ claims to have stolen 1TB of data during the attack.
After a failed attempt to negotiate with NVIDIA, the gang leaked the data online.
The leak included two stolen code-signing certificates used to sign drivers and executables by NVIDIA developers.
Exploitation of signing malware
After the extortion group leaked NVIDIA's code-signing certificates, they were used by various threat actors to sign malware and other tools.
In some cases, the stolen certificates were used to sign Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.
In one specific case, the attacker used the certificate to sign Quasar RAT.
Others were found using the stolen certificate to sign a Windows driver.
What are the consequences?
Both stolen NVIDIA certificates stand expired. However, Windows still allows a driver signed with the certificates to be loaded. This makes the malicious programs look like legitimate NVIDIA programs.
The recent use of a stolen NVIDIA certificate is a perfect example of how eager cybercriminals are in abusing any loose ends in security infrastructure. To avoid this threat, admins are suggested to configure Windows Defender Application Control policies to control NVIDIA drivers loaded into Windows OS.