What you need to know
- A ransomware group known as Lapsus$ has leaked stolen data from NVIDIA as part of a hack.
- The leaked data includes code signing certificates, which are now being used by threat actors.
- By using the signing certificates, threat actors can make malicious files appear genuine, allowing them to bypass some security measures in Windows.
The ongoing drama surrounding the NVIDIA hack by Lapsus$ has another chapter, and it's putting computers at risk. The ransomware group known as Lapsus$ hacked NVIDIA in February 2022. The group threatened to leak the stolen information if NVIDIA did not meet demands to remove mining limitations from its RTX 30 series graphics cards. The group has since leaked information, which is being used by threat actors.
The leak by the Lapsus$ group includes two code-signing certificates that NVIDIA uses to sign drivers and executables. They're both expired but can still be used to make malicious software appear genuine. Windows looks at code-signing certificates to make sure a driver or executable is safe. If a malicious file was signed by an approved certificate, it could bypass security measures within Windows.
BleepingComputer reports that the certificates stolen through the leak have been used to sign malware and hacking tools, including backdoors, Cobalt Strike beacons, Mimikatz, and remote access trojans.
Countering this attack by Lapsus is complex. It's possible to configure Windows Defender Application Control policies to stop certain NVIDIA drivers from being loaded, but that requires sophisticated technical knowledge. Microsoft could also add the drivers in question to its certificate revocation list, but that would cause issues for some legitimate NVIDIA drivers (and their associated best graphics cards). Bleeping Computer notes that it's unlikely that Microsoft will take that step in the near future.
Windows Central Newsletter
Get the best of Windows Central in in your inbox, every day!
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org (opens in new tab).
I see a forced update of Nvidia drivers via Windows Update before a certificate revocation. I’m sure Microsoft and Nvidia are working hard to come up with the best way to mitigate this.
These Certs are already expired. Once they are revoked (by either Nvidia or Microsoft) users would have to install new drivers with new certs.
This will be an issue for Nvidia with lots of older product and drivers that are no longer under active development/support across many product lines (and not just Windows Drivers.)
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.