Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

NVIDIA’s Stolen Code-Signing Certs Used to Sign Malware

posted by martyb on Thursday March 10 2022, @12:08PM   Printer-friendly
Security News

upstart writes:

NVIDIA's Stolen Code-Signing Certs Used to Sign Malware:

NVIDIA certificates are being used to sign malware, enabling malicious programs to pose as legitimate and slide past security safeguards on Windows machines.

Two of NVIDIA's code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered – certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.

The Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.

Security researchers noted last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.

[...] Both of the stolen NVIDIA code-signing certificates are expired, but they're still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to reports.

According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates use these serial numbers:

  • 43BB437D609866286DD839E1D00309F5
  • 14781bc862e8dc503a559346f5dcc518

[...] David Weston, director of enterprise and OS security at Microsoft, tweeted on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring Windows Defender Application Control policies to control which of NVIDIA's drivers can be loaded.

That should, in fact, be admins' first choice, he wrote.

Original Submission

This discussion has been archived. No new comments can be posted.
NVIDIA’s Stolen Code-Signing Certs Used to Sign Malware | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 0) by Anonymous Coward on Thursday March 10 2022, @12:40PM (1 child)

    by Anonymous Coward on Thursday March 10 2022, @12:40PM (#1228246)

    The attack strategy of compromising the update system and pushing bad stuff works.

    In these times one wonders how many other places are in the same boat and don't yet know it?

    Interesting that my Iphone wants to update, hmmm.

    • (Score: 4, Informative) by Anonymous Coward on Thursday March 10 2022, @01:17PM

      by Anonymous Coward on Thursday March 10 2022, @01:17PM (#1228257)

      More like don't download your drivers from warez sites. If you think the packaging and distribution infrastructure has been infiltrated, you have WAY bigger problems than not updating, you need to drop that imcompetent OS...

  • (Score: 2) by driverless on Thursday March 10 2022, @11:18PM

    by driverless (4770) on Thursday March 10 2022, @11:18PM (#1228423)

    Whats the difference between trojan_dropper.exe downloaded from virusbucket.ru and trojan_dropper.exe downloaded from virusbucket.ru with a certificate attached? One is obvious malware, the other is completely legit safe software that Windows will run without any further checks.

(1)