The group of cybercriminals, who recently broke into Nvidia’s systems, delivered two old code-signing certificates from the company. Researchers warn that drivers could be used to sign kernel-level malware and load it onto systems that have driver signature verification. These certificates were retrieved from an archive of almost 1 TB which also contained the source code and documentation for the GPU driver API. Nvidia confirmed it was the target of a breach, saying the hackers stole “employee passwords and certain Nvidia proprietary information,” without confirming the extent of the data theft.

Feedback on the data breach

On February 24, a ransomware group calling themselves LAPSUS$ publicly stated that they had admin-accessed multiple Nvidia systems for about a week and managed to exfiltrate 1TB of data, including schematics. hardware, driver source code, firmware, documentation, tools and proprietary development kits. And “all things Falcon,” a hardware security technology built into Nvidia GPUs and intended to prevent misprogramming of those GPUs. While Nvidia confirmed the cyberattack and data breach, the company did not provide any details about the stolen data. But, as proof, LAPSUS$ released 20 GB of information from this alleged cache.

The group also claims to have information on Nvidia’s LHR (Lite Hash Rate) technology. Introduced in RTX 30-series GPUs, LHR detects if GPUs are being used for Ethereum cryptocurrency mining and reduces their performance, in order to make graphics cards less attractive to cryptocurrency miners. Indeed, the latter capture the entire GPU market, drying up the market, to the point of making it almost impossible for gamers to buy GPUs due to a constant shortage of stock and an overbidding on prices.

To prove that they have this information, the LAPSUS$ group even released a tool that hackers claim gives users the means to bypass the LHR throttling without resetting the GPU firmware. After this publication, the group changed its requirements, asking Nvidia to ship its GPU drivers open source for all systems, including Linux. Indeed, the Linux community has been complaining for many years about the lack of an open source Nvidia driver for this environment.

Importance of Code Signing Certificates

Code signing certificates refer to Microsoft certificates, especially in Windows. It’s still possible to run apps that aren’t signed on Windows, but these trigger more visible security alerts than apps signed by a trusted developer. More importantly, by default Windows does not allow the installation of any driver that is not digitally signed with a trusted certificate. Digitally signing drivers is an important security feature because, unlike normal user-mode applications, drivers run with kernel-level privileges. They therefore have access to the most privileged areas of the operating system and can deactivate security products.

Before the introduction of this security feature, rootkits (root-level malware) were commonplace in Windows. File digital signatures are also used by application whitelisting systems to restrict which applications can be run on systems and, to some extent, by anti-virus programs, although the existence of a digital signature does not alone is not enough to determine whether a file is legitimate or malicious. Code signing certificates have been stolen from developers before and hackers can even buy them through different channels.

Samples discovered

The problem is that certificate revocations or expirations aren’t checked or enforced by all Windows security mechanisms, including the one that checks if loaded drivers are signed, as the security researcher explained. from Zoom, Bill Demirkapi at a DEF CON conference on Windows rootkits. Since the introduction of the Secure Boot restriction in Windows 10 build 1607 and later, drivers must be signed with EV (extended validation) certificates. EV certificates require extensive verification of the identity of the person or entity requesting the certificate and are therefore more difficult to obtain and more expensive. Nvidia code signing certificates issued by LAPSUS$ have expired since 2014 and 2018, respectively, and are not EV. But they can still be used to sign malicious code that will be loaded into the kernel of older Windows systems. They can also be used to attempt to evade detection by certain security products.

Researcher Florian Roth has already found two samples of cracking tools signed with one of the certificates on VirusTotal: a copy of the Mimikatz password dump tool and a copy of the Kernel Driver Utility (KDU) that can be used process hijacking. Researcher Mehmet Ergene found even more malicious files signed with the certificate, including a RAT (Remote Access Trojan) for Discord. And other malware abusing the legitimacy of Nvidia certificates should appear. Florian Roth and Mehmet Ergene published a YARA rule and query for Microsoft Defender for Endpoint (MDE) that security teams can use to find files signed with these certificates in their environments. Microsoft also offers a Windows Defender Application Control policy to block malicious drivers, which can be customized by adding new controls, and an Attack Surface Reduction (ASR) rule of Microsoft Defender for Endpoint.