The fallout continues from the ransomware attack that targeted Nvidia, as it has been discovered that some of the company’s older GPU drivers can now conceal malware. According to TechPowerUp, stolen code-signing certificates are being used to place malware on unsuspecting PCs. This was also confirmed by @BillDemirkapi on Twitter. The code-signing certificates expired in 2014 and 2018, but that doesn’t stop Windows from recognizing these as legitimate. And this could be a massive issue for those who aren’t sure what to look out for.
BleepingComputer pointed out the kinds of malware making the rounds. These include Cobalt Strike Beacons, Mimikatz, backdoors, and Remote Access Trojans. This is clearly a problematic situation for Nvidia, and it’s unknown how much worse the situation could become in the next few weeks. But for now, it’s important that users remain vigilant for anything that seems out of the ordinary. Particularly when it comes to downloading drivers for their graphics cards.
Keep an eye out for malicious software
Code-signing certificates are used by developers to put a digital signature on drivers and executables. It’s there to verify if something is what it says it is. If the certificate isn’t valid, Windows will let you know. This is why malicious software using these certificates is such a dangerous thing. Windows isn’t able to tell if the file is dangerous, and before you know it, your PC is in danger. Additionally, if users aren’t able to identify the difference between a real driver and a fake one, it could end up infecting a lot of unsuspecting PCs. However, there are cautionary measures users can take.
Thanks to security researchers Kevin Beaumont and Will Dormann, the serial numbers for the stolen certificates have been shared. Be sure to look out for “43BB437D609866286DD839E1D00309F5” and “14781bc862e8dc503a559346f5dcc518.” While these signatures have expired, Windows will still recognize these as legitimate. Obviously, this is a big security flaw that Windows should iron out in the future. In fact, it’s bizarre that expired certificates are recognizable in the first place.
It’s a dire situation for Nvidia and its users, especially for those who aren’t aware of the current situation. The best defense at the moment is to spread this information around as much as possible. There’s no word on what Nvidia plans to do with the malware disguised as GPU drivers, or whether Microsoft intends to step in at some point. Either way, the best thing for users to do now is remain cautious. Keep an eye out for anything that looks suspicious and, as always, be careful with what you download.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd
— Bill Demirkapi (@BillDemirkapi) March 3, 2022