December 6, 2022
Malware uses stolen code signing certificates from Nvidia

Following the hacking of its information systems, stolen certificates from Nvidia have been discovered by researchers in malware. An attack that continues to make waves.

The group of cybercriminals, who recently broke into Nvidia’s systems delivered two old code signing certificates from the company. Researchers warn that the drivers could be used to sign kernel-level malware and load it onto systems with a driver signature verification feature. These certificates were recovered from an archive of nearly 1 TB in which the source code and documentation of the GPU driver API was also located. Nvidia confirmed that it was the target of an intrusion, saying that the hackers stole “employee passwords and some proprietary Nvidia information,” without confirming the extent of the data theft.

Looking back at the data breach

On Feb. 24, a ransomware group calling itself LAPSUS$ said publicly that it had gained admin access to several Nvidia systems over the course of about a week and managed to exfiltrate 1TB of data, including hardware schematics, source code for drivers, firmware, documentation, tools and private development kits. And “everything related to Falcon”, a hardware security technology built into Nvidia GPUs and intended to prevent malprogramming of these GPUs. While Nvidia has confirmed the cyberattack and data breach, the company has not provided any details about the stolen data. But as evidence, LAPSUS$ has published 20GB of information from the alleged cache.

The group also claims to have information about Nvidia’s Lite Hash Rate (LHR) technology. Introduced in the RTX 30 series GPUs, the LHR detects if the GPUs are used for Ethereum crypto-currency mining and reduce their performance, in order to make the graphics cards less attractive to crypto-currency miners. Indeed, the latter are capturing the entire GPU market, drying up the market, to the point of making it nearly impossible for gamers to buy GPUs due to a constant stock shortage and overpricing.

To prove that they have this information, the LAPSUS$ group even released a tool that the hackers claim gives users the means to bypass the LHR limitation without resetting the GPU firmware. After this publication, the group changed its demands, asking Nvidia to deliver its GPU drivers in open source for all systems, including Linux. Indeed, for many years, the Linux community has been complaining about the lack of an open source Nvidia driver for this environment.

Importance of code signing certificates

Code signing certificates refer to Microsoft certificates, especially in Windows. It is still possible to run applications that are not signed in Windows, but these trigger more visible security alerts than applications signed by a trusted developer. More importantly, by default, Windows does not allow the installation of a driver that is not digitally signed with a trusted certificate. Applying the digital signature to drivers is an important security feature because, unlike normal user mode applications, drivers run with kernel-level privileges. They therefore have access to the most privileged areas of the operating system and can disable security products.

Before the introduction of this security feature, rootkits (root-level malware) were commonplace in Windows. Digital file signatures are also used by application whitelisting systems to restrict which applications can be run on systems and, to some extent, by antivirus programs, although the existence of a digital signature alone is not sufficient to determine whether a file is legitimate or malicious. Code signing certificates have already been stolen from developers and hackers can even buy them through different channels.

Samples discovered

The problem is that certificate revocations or expirations are not checked or enforced by all Windows security mechanisms, including the one that checks whether loaded drivers are signed, as Zoom security researcher Bill Demirkapi explained at a DEF CON conference on Windows rootkits. Since the introduction of the Secure Boot restriction in Windows 10 build 1607 and later, drivers must be signed with EV (extended validation) certificates. EV certificates require extensive verification of the identity of the person or entity requesting the certificate and are therefore more difficult to obtain and more expensive. The Nvidia code signing certificates published by LAPSUS$ have expired since 2014 and 2018, respectively, and are not EV. But they can still be used to sign malicious code that will be loaded into the kernel of older Windows systems. They can also be used to try to evade detection by some security products.

Researcher Florian Roth has already found two samples of hacking tools signed with one of the certificates on VirusTotal: a copy of the Mimikatz password dumping tool and a copy of the Kernel Driver Utility (KDU) which can be used for process hijacking. Researcher Mehmet Ergene found even more malicious files signed with the certificate, including a Remote Access Trojan (RAT) for Discord. And more malware abusing the legitimacy of Nvidia certificates is expected to appear. Florian Roth and Mehmet Ergene have published a YARA rule and a query for Microsoft Defender for Endpoint (MDE) that security teams can use to scan their environments for files signed with these certificates. Microsoft also offers a Windows Defender Application Control policy to block malicious drivers, which can be customized by adding new controls, and an Attack Surface Reduction (ASR) rule for Microsoft Defender for Endpoint.