NVIDIA signing certificates that expired in 2014/2018 are now used to sign malware
The first batch of files that were published by the extortion group included NVIDIA signing certificates that are now being used to sign malware, security researches discover.
The hacking group LAPSUS$ gained access to internal NVIDIA systems two weeks ago. The group demanded a ransom in exchange for not publishing the stolen data. It was reported that as much as 200 GB of files related to hardware and 1 TB of data overall were stolen. This includes files referring to unreleased architectures such as RTX 40 “Ada” or future data-center products like Blackwell. To make matters worse, hackers also published source code for one of NVIDIA’s biggest secret, the DLSS AI upscaling technology.
Security researchers have discovered that the signing certificate that were also included in this first batch of files are now used by malware.
— Florian Roth ⚡️ (@cyb3rops) March 3, 2022
What is important to note here is that both leaked signing certificates are expired, however Windows operating system still allows the drivers signed with those certificates to be loaded with the system which poses a great security risk.
At this point, there is no easy way to prevent software signed with those certificates to be loaded with the operating system, other than creating Windows Defender policies manually. Microsoft should revoke those certificates in the future, but this might take time and for some users this might be too late.
Over the weekend, the same hacking group announced they successfully infiltrated Samsung servers and immediately began sharing the files. Users should remember only to download the files from known sources.