Leaked stolen Nvidia key can sign Windows malware

70k staff email addresses and NTLM password hashes also dumped online


The private key of an Nvidia code-signing certificate was among the mountain of files stolen and leaked online by criminals who ransacked the GPU giant's internal systems.

At least two binaries not developed by Nvidia, but signed this week with its stolen key, making them appear to be Nvidia programs, have appeared in malware sample database VirusTotal.

This leak means sysadmins should take steps, or review their security policies and defenses, to ensure code recently signed by the rogue cert is detected and blocked as it is most likely going to be malicious. This can be done through Windows configuration, network filtering rules, or whatever you use to police your organization.

Computer security bod Bill Demirkapi – who we've featured before on these pages – tweeted a warning about the certificate key potentially being used to sign Windows kernel-level driver files:

In later tweets he added that Windows will accept drivers signed with certificates issued prior to July 29, 2015 without a timestamp. Microsoft's Windows driver signing policy corroborates this, stating the operating system will run drivers "signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA".

The leaked Nvidia certificate key is just such a creature, having expired in 2014. Code signed with this key will, in the right conditions, be accepted by Windows even though the key has expired. Another Nvidia cert was leaked though expired after the cut-off date.

We asked Microsoft what steps would it be willing to take to ensure Windows blocks all code signed by the 2014 cert since its leak. A spokesperson told us: "We are looking into these new claims and we will do what is necessary to keep our customers protected."

Infosec bod Kevin Beaumont spotted some folks have been signing their own driver code with Nvidia's private 2014 key and uploading it to VirusTotal to check if antivirus scanners accepted it. He posted on Twitter:

The move to allow such drivers was a backwards compatibility effort (per an MSDN post from 2015, introducing Windows 10 build 1607) to prevent a then-new Windows 10 feature from causing problems with previously unsigned drivers.

We note that a good number of antivirus scanners, tested by VirusTotal on uploaded samples, are now seemingly catching code signed by the rogue Nvidia certificate, so it may be that your AV engine will automatically block it.

The crooks who compromised Nvidia's internal systems to steal and leak the certificate key – among many other files, including credentials, secret source code, and documentation – call themselves Lapsus$, and are seemingly trying to blackmail Nvidia into removing cryptomining limit from its GPU firmware. Last year, for its RTX 30-series graphics cards, Nvidia introduced a technology into their drivers called Lite Hash Rate, or LHR for short.

LHR cripples cryptocurrency mining. By nerfing the cards' cryptomining performance, Nvidia hoped to make its graphical processing units less attractive to miners, leaving more hardware available to gamers, in theory, and others who actually want graphics performance rather than pure hash rates.

Lapsus$, according to the group's Telegram page, are threatening Nvidia with the public release of more internal materials and details of chip blueprints unless the company promises to remove LHR. It seems wholly implausible that Nvidia would give in to such blackmail. The gang also wants Nvidia to open-source its drivers for Macs, Linux, and Windows PCs.

According to Have I Been Pwned, within the leaked data are "over 70,000 employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community."

In a statement Nvidia previously said: "We are aware that the threat actor took employee passwords and some Nvidia proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information." It is maintaining an incident response page here. ®


Other stories you might like

  • Monero-mining botnet targets Windows, Linux web servers
    Sysrv-K malware infects unpatched tin, Microsoft warns

    The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.

    The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.

    The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.

    Continue reading
  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading

Biting the hand that feeds IT © 1998–2022