Leaked Nvidia certificates used to sign malware bypassing Windows detection

Security researchers have discovered malware being signed with Nvidia code signing certificates days after the LAPSUS$ group leaked a trove of the company’s stolen files.

Part of the stolen files included two code signing certificates and although they’re now expired, signing malware with them will still influence Windows into loading the malware onto systems.

Windows typically rejects drivers or executables signed using expired certificates. If the certificate was issued after 29 July 2015 then it would require a timestamp - a method of using trusted certificates after expiration - but certificates issued before that date, as in the case of these two Nvidia certificates, Windows will accept them without timestamps, expired or not, said Bill Demirkapi, offensive security at Zoom.

Such certificates are used so Windows users can verify the authenticity of any given driver or application. Signing malware with a legitimate, although expired certificate means Windows will be convinced the application is genuine and has not been modified by a third party.

Among the types of malware already discovered to be signed with Nvidia’s code signing certificates are Mimikatz, Cobalt Strike beacons, and remote access trojans, according to VirusTotal searches.

"The recent Nvidia security breach involving certificate abuse is eerily like the one Opera suffered in 2013 and one that Adobe reported in 2012," said Pratik Selva, senior security engineer at Venafi. "If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.

"Although the certificates have expired, Windows will still allow a driver signed by a company to be installed so that it still constitutes a risk," said Alexis Vanden Eijnde, senior security consultant at Prism Infosec. "Microsoft should soon add the certificates to their revocation list and this will prevent the malicious drivers signed by stolen certificates from being loaded into Windows."

Windows admins are advised to create custom policies in Windows Defender Application Control to filter out the approvals for specific signed certificates.

The Lapsus hacking group said last week Nvidia had until Friday 4 March 2022 to completely open source its GPU drivers across all operating systems or the complete collection of stolen files would be leaked online.

The group has provided few updates since the deadline has passed apart from announcing its second major leak in as many weeks. LAPSUS$ said on Friday that it obtained an array of source code belonging to Samsung which could lead to access to the “lowest level” of devices such as its Galaxy series of smartphones.