What you need to know
- A ransomware group known as Lapsus$ has leaked stolen data from NVIDIA as part of a hack.
- The leaked data includes code signing certificates, which are now being used by threat actors.
- By using the signing certificates, threat actors can make malicious files appear genuine, allowing them to bypass some security measures in Windows.
The ongoing drama surrounding the NVIDIA hack by Lapsus$ has another chapter, and it's putting computers at risk. The ransomware group known as Lapsus$ hacked NVIDIA in February 2022. The group threatened to leak the stolen information if NVIDIA did not meet demands to remove mining limitations from its RTX 30 series graphics cards. The group has since leaked information, which is being used by threat actors.
The leak by the Lapsus$ group includes two code-signing certificates that NVIDIA uses to sign drivers and executables. They're both expired but can still be used to make malicious software appear genuine. Windows looks at code-signing certificates to make sure a driver or executable is safe. If a malicious file was signed by an approved certificate, it could bypass security measures within Windows.
BleepingComputer reports that the certificates stolen through the leak have been used to sign malware and hacking tools, including backdoors, Cobalt Strike beacons, Mimikatz, and remote access trojans.
Countering this attack by Lapsus is complex. It's possible to configure Windows Defender Application Control policies to stop certain NVIDIA drivers from being loaded, but that requires sophisticated technical knowledge. Microsoft could also add the drivers in question to its certificate revocation list, but that would cause issues for some legitimate NVIDIA drivers (and their associated best graphics cards). Bleeping Computer notes that it's unlikely that Microsoft will take that step in the near future.
