An Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant’s internal systems.
At least two binaries not developed by Nvidia, but signed this week with its stolen certificate, making them appear as Nvidia programs, have appeared in the VirusTotal malware sample database.
This leak means that system administrators should take steps, or review their security policies and defenses, to ensure that code recently signed by the unauthorized certificate is detected and blocked because it will most likely be malicious. This can be done through Windows configuration, network filtering rules, or whatever you use to control your organization.
Zoom security officer Bill Demirkapi tweeted a warning about the certificate that could potentially be used to sign Windows kernel-level driver files:
As a member of #NvidiaLeaks, two code-signing certificates were compromised. Although they have expired, Windows still allows their use for driver signing purposes. See the talk I gave at BH/DC for more background on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022
In later tweets, he added that Windows would accept drivers signed with certificates issued before July 29, 2015 without a timestamp. Microsoft Windows driver signing policy corroborates this, stating that the OS will run drivers “signed with an end-entity certificate issued prior to July 29, 2015 that connects to a supported cross-signed CA”.
The leaked Nvidia certificate is such a creature, having expired in 2014. The code signed with this certificate will be, in the right conditions, be accepted by Windows even if the certificate has expired. Another Nvidia certificate was leaked although it expired after the deadline.
We asked Microsoft what steps Microsoft would be willing to take to ensure that Windows blocks all code signed by the 2014 certificate since it was leaked. A spokesperson told us, “We are reviewing these new complaints and will do what is necessary to protect our customers.”
Infosec Director Kevin Beaumont has noticed that some people are signing their own driver code with Nvidia’s 2014 private certificate and uploading it to VirusTotal to check if virus scanners accept it. He posted on Twitter:
Search VirusTotal if you want them
ls:”2022-03-01T00:00:00+” signature:43BB437D609866286DD839E1D00309F5 p:1+ tag:signed
.sys (drivers) still loads correctly in Windows 10/11, even when signed with an expired certificate.
The threat actors started on March 1, a day after the torrent was released. pic.twitter.com/S6pCfgV8hb
— Kevin Beaumont (@GossiTheDog) March 4, 2022
The decision to allow these drivers was a backwards compatibility effort (according to an MSDN 2015 postintroducing Windows 10 build 1607) to prevent a new Windows 10 feature from causing problems with previously unsigned drivers.
We note that a good number of antivirus scanners, tested by VirusTotal on downloaded samples, now apparently capture code signed by the rogue Nvidia certificate, so your antivirus engine may automatically block it.
The crooks who compromised Nvidia’s internal systems to steal and leak the certificate — among many other files, including credentials, secret source code, and documentation — are called Lapsus$ and are apparently trying to blackmail Nvidia to remove the cryptomining limit from its GPU firmware. Last year, for its RTX 30-series graphics cards, Nvidia introduced a technology in its drivers called Lite Hash Rate, or LHR for short.
LHR cripples cryptocurrency mining. By nerfing the cards’ cryptomining performance, Nvidia hoped to make its GPUs less appealing to miners, leaving more hardware available to gamers, in theory, and those who actually want graphics performance over pure hash rates. .
Delay$, according to on the group’s Telegram page, threaten Nvidia to release more internal documents and chip design details unless the company promises to scrap LHR. It seems totally unlikely that Nvidia would give in to such blackmail. The gang also wants Nvidia to open up its drivers for Mac, Linux, and Windows PCs.
According to Have I been pwnedin the leaked data are “over 70,000 employee email addresses and NTLM password hashes, many of which were later hacked and circulated among the hacker community”.
In a statement, Nvidia previously said, “We are aware that the threat actor has taken employee passwords and certain proprietary Nvidia information from our systems and has begun leaking them online. Our team is working to analysis of this information. It maintains an incident response page here. ®