A couple of weeks ago, the hacker collective known as LAPSUS$ broke into NVIDIA’s servers and made off with nearly 1TB of sensitive data. The group then proceeded to hold said data ransom, demanding that the GPU brand pay them so as not to release information pertaining to its chipset files, graphics, and silicon used. Recently, it appears that the group is now using its ill-gotten gains for something else: signing malware off with expired NVIDIA certificates.
Security researcher Florian Roth (@cyb3rops) was one of the first to discover the certificates, expired in 2014 and 2018, were being used to sign off certificates for malware such “mimikatz”, that the Windows OS still allowed through its firewall. Other malware tools that are being signed off with NVIDIA certificates include Cobalt Strike beacons and KDU. Some security researchers also discovered that the stolen certificates seem to utilise the serial numbers “43BB437D609866286DD839E1D00309F5” and “14781bc862e8dc503a559346f5dcc518”.
— Florian Roth ⚡️ (@cyb3rops) March 3, 2022
The good news is that, there is a way to mitigate the issue and it requires users to configure their Windows Defender Application Control (WDAC) policies, to manage what NVIDIA drivers can and cannot be downloaded. The bad news is, modifying the WDAC isn’t a task for the non-IT Windows users and doing so will most definitely be tedious.
To date, NVIDIA has been keeping mum about its decisions over the issue. From that stolen 1TB of data, approximately 200GB of it relates to hardware, information about NVIDIA’s unreleased Ada Lovelace GPU and its DLSS AI upscaling technology.