The fallout from NVIDIA’s cyber attack continues. In addition to email addresses and password hashes and DLSS source code, bad actors are now using stolen data to create malware, which has already been released online. NVIDIA code-signing certificates allow their software to bypass Windows security measures. Researchers have spotted multiple trojans in the wild using the stolen certificates.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd— Bill Demirkapi (@BillDemirkapi) March 3, 2022
Digitally signed certificates prevent threat actors from installing malware on a PC, so preventing software with them is a tricky thing. Malware can be masked as updates or drivers, making it difficult to spot. All hope is not lost, though, as David Weston (Director of Enterprise and OS security at Microsoft) has posted a means for administrators to tighten up security measures. With Windows Defender Application Control policies (WDAC), a user can control which drivers are loaded.
These are all the attributes you can block or allow on: pic.twitter.com/3BV3QoMuMX— David Weston (DWIZZZLE) (@dwizzzleMSFT) March 3, 2022
Configuring custom policies and rule sets is not easy for the average user. If done incorrectly, things could be made worse. It is hoped that NVIDIA and Microsoft will collaborate for an easier solution.
Those more adept at software can identify potential malware by looking for serial numbers. Security researchers Kevin Beaumont and Will Dormann found that the stolen certificates contain the following serial numbers.
Source: Bleeping Computer