Two of NVIDIA’s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered – certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.
The Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.
Security researchers noted last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.
The signed binaries were detected as Mimikatz – a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system – and for other malware and hacking tools, including Cobalt Strike beacons, backdoors and remote access trojans (RATs) (including a Quasar RAT [VirusTotal] and a Windows driver [VirusTotal]).
Gist that contains @virustotal Enterprise search queries to find samples signed with the leaked NVIDIA certificates#NvidiaLeaks #LAPSUS
based on my and @GossiTheDog's work
https://t.co/JxnbrLSjVz pic.twitter.com/KYRKdYcF8R— Florian Roth (@cyb3rops) March 5, 2022
Expired But Still Recognized Certs: A ‘Significant Threat’
Both of the stolen NVIDIA code-signing certificates are expired, but they’re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to reports.
According to security researchers Kevin Beaumont and Will Dormann, the stolen certificates use these serial numbers:
- 43BB437D609866286DD839E1D00309F5
- 14781bc862e8dc503a559346f5dcc518
Casey Bisson, head of product and developer relations at code-security product provider BluBracket, called the certificate theft a “significant threat.”
“Signing certificates are the keys computers use to verify trust in software,” he told Threatpost via email on Monday. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”
Mike Parkin, senior technical engineer at enterprise cyber risk remediation provider Vulcan Cyber, agreed that malware authors being able to use legitimate certificates to sign their code “can have far -reaching consequences.
The dire situation is somewhat mitigated due to the stolen certificates having expired, he said in an email on Monday, but that’s not a perfect solution. “This will make it easier for anti-malware applications to identify malicious code signed with these certs, but there is still the challenge of Microsoft’s operating systems accepting them as valid even past their expiration,” he said.
Supply Chain
Bisson noted that given NVIDIA’s massive install base – its technology shows up everywhere from gaming to crypto miners to industrial and scientific super-computing – a supply chain attack targeting users could have “enormous implications.”
He pointed to global power consumption as one yardstick of how NVIDIA’s hardware is slathered across the world: “Some estimates peg crypto as consuming over half a percent of the world’s annual electric generation on its own,” he said, “most of that related to power-hungry Nvidia processors dependent on Nvidia’s software signed by these keys.”
NVIDIA’s hardware is critical for gaming and media production, as well as cloud-based artificial intelligence (AI) and machine-learning (ML) that powers everything from voice assistants, image and video processing (including automated moderation), and manufacturing quality control systems, Bisson pointed out.
He suggested that the fix for supply-chain threats is to establish a new chain of trust in NVIDIA’s software development workflow with new certificates. “Upstream certificate authorities can revoke Nvidia’s old certificates to block installation of any potentially compromised software with those certificates,” he explained. “As always, intrusion detection and access control audits are critical to preventing new intrusion attacks, while enforcing signed commits and continuous automated code scanning for secrets, dependency vulnerabilities, along with manual testing are solid steps to ensuring the security of their software.”
How to Block the Signed Malware
David Weston, director of enterprise and OS security at Microsoft, tweeted on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring Windows Defender Application Control policies to control which of NVIDIA’s drivers can be loaded.
That should, in fact, be admins’ first choice, he wrote.
WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
David Weston, Microsoft vice president for OS Security and Enterprise, went on to tweet the attributes to be blocked or allowed.
These are all the attributes you can block or allow on: pic.twitter.com/3BV3QoMuMX
— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
Unfortunately, Microsoft’s WDAC fix isn’t a practical solution for the majority of Windows users, who aren’t technically literate, Vulcan Cyber’s Parkin pointed out.
A better approach would be for Microsoft to recognize the certificates as expired and no longer accept them as legitimate, he told Threatpost.
Doxxed Emails, Password Hashes & More
On Feb. 27, Lapsus$ claimed that it had been in NVIDIA’s systems for a week, that the gang isn’t state-sponsored and that it’s “not into politics AT ALL” – a clarification that’s apparently important for cybercrooks now that the Russia/Ukraine cyber war zone is burning at fever pitch.
Last Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an alert regarding 71,335 NVIDIA employees’ emails and NTLM password hashes having been leaked on Feb. 23, “many of which were subsequently cracked and circulated within the hacking community.”
As has been noted, at least on the face of it, that number of 71,000 compromised employee accounts – a number that the graphics processing units maker hasn’t confirmed or denied – doesn’t make sense. In its most recent quarterly report (PDF), NVIDIA only listed a workforce of 18,975.
But, given that the Telegraph’s initial report cited an insider who said that the intrusion “completely compromised” the company’s internal systems, it could be that the stolen data included former employees.
Lapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA’s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.
Lapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.
Lapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.
Who Is Lapsus$ Group?
Lapsus$ Group emerged last year. It’s probably best known for its December attack on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens’ COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.
In January, Lapsus$ also crippled the Portuguese media giant Impresa.
Lapsus$ also recently released what is purportedly a massive dump of proprietary source code stolen from Samsung, vx-underground reported.
030722 16:06 UPDATE: Added commentary from Casey Bisson and Mike Parkin.
Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.