Update March 16, 2022: It’s been twelve days since we posted this Cyber Heads-up and this seems to have dropped out of the news and out of discussion. NVIDIA has been deafeningly silent about this. Our guidance remains the same. Make sure that your environment is set up to monitor for code signed by these certificates and to alert on suspicious behavior of that code. Our Security Operations Center has identified code signed with these certificates running on relatively new systems, which means that some code hasn’t had a new version published since at least July of 2018.
Originally Published March 4, 2022
Overview
Earlier this week, NVIDIA, one of the world’s largest makers of video card hardware confirmed that a group calling itself Lapsus$ compromised its systems. Lapsus$ claims to have stolen around 1 TB of NVIDIA’s proprietary data. It appears that NVIDIA attempted to play a game of tit-for-tat with Lapsus$ and in return, Lapus$ released the code signing certificates including private keys used by NVIDIA, amongst other valuable information.
Although the certificates expired in 2014 and 2018 respectively, for backward compatibility purposes, Microsoft Windows does not enforce certificate validity in some circumstances. The result is that there are reports of threat actors using these certificates to sign tools such as Mimikatz, a tool used by both legitimate penetration testers and malicious threat actors to scrape NTLM hashes to then be used in a pass-the-hash attack.
Security researcher Florian Roth has posted a YARA rule to catch code signed by those certificates after March 1, 2022.
Assura’s Take
We’re recommending that, at least for now, organizations halt updating NVIDIA drivers and software until NVIDIA can confirm whether or not current code signing certificates have been compromised.
However to be clear, pausing updates or installations of NVIDIA drivers and other software will not prevent Windows from installing malicious drivers due to the backward compatibility described above. Only Microsoft can fix that with an operating system update.
Given that, if you’re an Assura Managed SIEM or MDR client, our Security Operations Center is actively monitoring for malicious software signed by the compromised certificates. We will treat all software signed by these certificates as suspicious and report and/or quarantine that software, as applicable your service plan.
We’ll communicate further about when it may be safe to resume updating or new installation of NVIDIA drivers and software.
Assura’s clients can contact their Virtual ISO or Defensive Security Operations team Concierge with questions about this. Others are welcome to contact us through the contact form on our website.