Two of NVIDIA’s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered – certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.
The Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.
Security researchers noted last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.
The signed binaries were detected as Mimikatz – a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system – and for other malware and hacking tools, including Cobalt Strike beacons, backdoors and remote access trojans (RATs) (including a Quasar RAT [VirusTotal] and a Windows driver [VirusTotal]).
Gist that contains @virustotal Enterprise search queries to find samples signed with the leaked NVIDIA certificates#NvidiaLeaks #LAPSUS
Expired But Still Recognized Certs
Both of the stolen NVIDIA code-signing certificates are expired, but they’re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to reports.
According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates use these serial numbers:
How to Block the Signed Malware
David Weston, director of enterprise and OS security at Microsoft, tweeted on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring Windows Defender Application Control policies to control which of NVIDIA’s drivers can be loaded.
That should, in fact, be admins’ first choice, he wrote.
WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
David Weston, Microsoft vice president for OS Security and Enterprise, went on to tweet the attributes to be blocked or allowed.
These are all the attributes you can block or allow on: pic.twitter.com/3BV3QoMuMX
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
Doxxed Emails, Password Hashes & More
On Feb. 27, Lapsus$ claimed that it had been in NVIDIA’s systems for a week, that the gang isn’t state-sponsored and that it’s “not into politics AT ALL” – a clarification that’s apparently important for cybercrooks now that the Russia/Ukraine cyber war zone is burning at fever pitch.
Last Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an alert regarding 71,335 NVIDIA employees’ emails and NTLM password hashes having been leaked on Feb. 23, “many of which were subsequently cracked and circulated within the hacking community.”
As has been noted, at least on the face of it, that number of 71,000 compromised employee accounts – a number that the graphics processing units maker hasn’t confirmed or denied – doesn’t make sense. In its most recent quarterly report (PDF), NVIDIA only listed a workforce of 18,975.
But, given that the Telegraph’s initial report cited an insider who said that the intrusion “completely compromised” the company’s internal systems, it could be that the stolen data included former employees.
Lapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA’s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.
Lapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.
Lapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.
Who Is Lapsus$ Group?
Lapsus$ Group emerged last year. It’s probably best known for its December attack on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.
In January, Lapsus$ also crippled the Portuguese media giant Impresa.
Lapsus$ also recently released what is purportedly a massive dump of proprietary source code stolen from Samsung, vx-underground reported.
Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.