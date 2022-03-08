



Image: Getty Images / iStockphoto

No company is safe to be targeted by cybercriminals. Recently, Nvidias has been compromised, and attackers have leaked a lot of corporate information, including the credentials of more than 70,000 employees and two digital signature certificates.

Ransom demand and leak

On Friday, February 28, the cybercrime group “Lapsus $” announced that it had compromised Nvidia and stole about 1 TB of data via a telegram channel, demanding an unseen ransom every day. All its firmware (Figure A).

Figure A

Ransom demand from cyber criminals. Source: Telegram

LHR, short for Lite Hash Rate, is a new feature introduced by Nvidia on graphics cards that reduce the likelihood that these cards will perform cryptocurrency mining. The purpose of this feature is to prevent people from buying those cards for cryptocurrency mining and instead keep all inventories for gamers.

Lapsus $ has released the first archive on Nvidia that contains a file containing 71,335 email addresses and associated NTLM hash passwords. This confirmed the leak and stated that all employees would need to change their passwords.

However, the leak contained not only the credentials, but also the source code and more data, including two code-signed digital certificates.

What is a code signing certificate? Why is it so important?

Code signing certificates allow software developers or companies to digitally sign executables. Therefore, it is guaranteed that the code has not been modified or corrupted. This type of digital signature is based on a cryptographic hash to verify the reliability and integrity of the data. It cannot be forged.

But what if someone gets a code signing certificate from a software company? In short, the answer is horrifying. All executable files can be signed with that certificate, making them completely legitimate to the operating system and its users. In this way, malware can hide in the system more efficiently without triggering alerts at run time.

Code signing certificate theft is more common than you might think

Code signing certificates are an important asset that needs to be carefully protected. However, certificate signing infringement is an old technique that has been used by multiple cybercriminals to sign malware in the past. A good example is Stuxnet malware with two different stolen certificates in different versions.

On the cyber espionage side, theft of digital certificates to sign malware is also relatively common. Some threat actors have used this method in the past, but they still use it. The Plead malware signature used by cyber espionage is one example, but there are others.

Stealing digitally signed certificates from software companies seems juicy enough for some threat actors who have demonstrated the ability to quickly deploy certificate-signed malware from various legitimate companies.

Nvidias stole signature certificate

In the case of Nvidia, it has been publicly revealed that at least two different certificates have been leaked. Although these certificates have expired (digital certificates are not permanent, they do), they can still be used to sign files. The reason for this is Microsoft’s driver, which stipulates that the operating system runs a driver that is “signed with an end entity certificate issued before July 29, 2015, chained to a supported mutual signing CA.” It’s in the signing policy.

Immediately after publishing the leak, VirusTotal displayed an executable file signed with these two digital certificates. The first file submitted was probably a test by researchers and geeks, but we also found real malware such as the Quasar RAT variant and the Ryuk ransomware variant.

It is possible for an administrator to block these two certificates on the company’s system, but it all depends on the software they are running.

The two leaked certificates are:

Name: NVIDIA Corporation

Status: This certificate or one of the certificates in the certificate chain has expired.

Issuer: VeriSign Class 3 Code Signing 2010 CA

Expiration date: September 2, 2011 12:00 am

Expiration date: September 1, 2014 11:59 pm

Valid usage: Code signing

Algorithm: sha1RSA

Fingerprint: 579AEC4489A2CA8A2A09DF5DC0323634BD8B16B7

Serial number: 43 BB 43 7D 60 98 66 28 6D D8 39 E1 D0 03 09 F5

Name: NVIDIA Corporation

Status: This certificate or one of the certificates in the certificate chain has expired.

Issuer: VeriSign Class 3 Code Signing 2010 CA

Expiration date: July 28, 2015 12:00 am

Expiration date: July 26, 2018 11:59 pm

Valid usage: Code signing

Algorithm: sha1RSA

Fingerprint: 30632EA310114105969D0BDA28FDCE267104754F

Serial number: 14 78 1B C8 62 E8 DC 50 3A 55 93 46 F5 DC C5 18

What can you do with those certificates?

Users can use Windows Defender Application Control (WDAC) policies to control which Nvidia drivers can be loaded, which is a very tricky configuration process. Microsoft will probably provide a user update to revoke the stolen certificate, but the problem is that some older legitimate Nvidia drivers are also signed with these certificates and can cause errors. May occur.

What to do if data is leaked from the company

Nvidias leaks contain different types of data. Of course, the first step is for all users to change their passwords immediately and add two-factor authentication (2FA) as an additional security measure if it hasn’t been deployed yet.

If the source code is leaked, all access to the development platform / server should be urgently blocked and the server integrity checked to prevent fraudsters from exploiting it.

If your code is leaked on GitHub or such a third party entity, please contact the third party to remove it as soon as possible.

Also, check and change all passwords, API keys, and tokens of any kind that may be used in your code. If your company leaks a digital certificate, please invalidate it as soon as possible.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

