Stolen Nvidia code signing certificates used to sign off malware
Date:
Mon, 07 Mar 2022 22:53:58 +0000
Description:
The certificates have expired, but Windows will still load the corrupted drivers.
FULL STORY ======================================================================
A number of potentially dangerous malware strains have successfully snuck
past antivirus software, thanks to highjacking signing certificates stolen from Nvidia.
The Lapsus$ cybercrime gang recently announced it had stolen a terabyte of data from the chip giant, and after failing to come to an agreement with the company on a ransom payment, decided to push the stolen intel live.
As researchers started to scour through the treasure trove of sensitive information, they discovered two code-signing certificates that Nvidia developers use to sign their drivers and executables. These security measures help Windows endpoints verify who built any specific app or program, as well as verifying nothing has been tampered with.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Click here to start the survey in a new window << Malware passing off as legit software
Cross-referencing the stolen certificates with their database, the
researchers were quick to find them being used to sign malware and other malicious tools.
As reported on the VirusTotal malware scanning service, the certificates were used to sign Cobalt Strike beacons, Mimikatz, as well as various backdoors, remote access trojans, and other malware.
According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates can be found under these serial numbers:
43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518 Read more
Nvidia hackers hit Samsung and leak huge data dump
Hackers demanding million-dollar prize for leaked Nvidia GPU mining bypass
Nvidia hack saw employee details leaked online
Both certificates have reportedly already expired, but that wont stop Windows allowing a driver signed with these, to be loaded in the OS.
There are ways to configure Windows Defender Application Control policies to eliminate compromised Nvidia drivers, but as BleepingComputer says, its not
an easy task, especially for non-IT Windows users, who need to wait for the certificates to be added to Microsofts certificate revocation list.
Lapsus$ is making a name for itself, rather quickly. Having targeted Impresa, Portugals biggest media conglomerate, late last year, taking down multiple websites, TV channels, AWS infrastructure, and Twitter accounts, it also struck the websites of Brazils Ministry of Health (MoH), suspending Covid-19 vaccination efforts across the country. It claimed to have stolen 50TB worth of data, before deleting them from the MoHs servers.
In the Nvidia attack, the group claims to have taken login information, and other sensitive data on tens of thousands of Nvidia employees. It also says the data helped it build a tool to eliminate the hash rate limiter for the
RTX 3000 GPU, which can be used to mine Ether with just 50% of capacity.
It also released 190GB of sensitive data stolen from Samsung which, if proven authentic, could be one of the more damaging data leaks to occur this year. Check out our list of the best firewalls right now
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/stolen-nvidia-code-signing-certificates-used-to -sign-off-malware/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)