Image: Getty Images/iStockphoto

No company is safe from being targeted by cybercriminals. Recently, it was Nvidia’s turn to be compromised, and the attackers leaked a lot of corporate information, including more than 70,000 employees’ credentials and two digital-signing certificates.

The ransom demand and the leak

On Friday, Feb, 28, the cybercriminal group “Lapsus$” announced via its Telegram channel that it had compromised Nvidia and stolen about 1TB of data — and it asked for a ransom you don’t see every day: It asked Nvidia to allow LHR again in all its firmware (Figure A).

Figure A

nvidia ransom
The ransom demand from the cybercriminals. Source: Telegram

LHR, which stands for Lite Hash Rate, is a new feature Nvidia introduced in its graphic cards to reduce the possibilities for those cards to do cryptocurrency mining. The goal of this feature is to stop people from buying those cards for cryptocurrency mining and have all the stock for gamers instead.

Lapsus$ released a first archive containing files, including 71,335 email addresses and associated NTLM hash passwords from Nvidia, which confirmed the leak and said that all its employees have been required to change their passwords.

Yet the leak did not contain just credentials, but also source code and more data, including two code-signing digital certificates.

SEE: AI-enabled future crimes ranked: Deepfakes, spearphishing, and more (TechRepublic)

What is a code-signing certificate and why is it so important?

A code-signing certificate allows a software developer or company to digitally sign executable files. Therefore, it guarantees that the code has not been altered or corrupted. This kind of digital signature is based on cryptographic hash to validate the authenticity and integrity of the data. It cannot be counterfeited.

But what happens if someone gets their hands on the code-signing certificate of a software company? The answer, in short, is frightening: Any executable file can be signed with that certificate, making it look fully legitimate to the operating system and its users. This way, a malware can hide in the system more efficiently, not triggering any alert when run.

Code-signing certificate theft — more common than you might think

Code-signing certificates are important assets that must be carefully protected. Yet the compromise of signing certificates is an old technique that’s been used in the past by several cybercriminals to sign their malware. A good example is the Stuxnet malware, which used two different stolen certificates for its different versions.

On the cyber espionage side of things, digital certificate theft for signing malware is also relatively common. Several threat actors have used this method in the past and still do. Signing of the Plead malware used in cyber espionage is one example, but there are more around.

Stealing digital signing certificates from software companies seems to be juicy enough for some threat actors who have shown the ability to quickly deploy malware signed with certificates from different legitimate companies.

SEE: Destructive “HermeticWiper” malware strikes Ukraine (TechRepublic)

Nvidia’s stolen signing certificates

In the case of Nvidia, it has been revealed publicly that at least two different certificates had leaked. Those certificates have expired (digital certificates are not forever; they have an expiration date), but they are still usable to sign files. The reason for this lies in Microsoft’s driver-signing policy, which states that the operating system will run drivers “signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.”

Shortly after the leak publication, executable files signed with those two digital certificates appeared on VirusTotal. While the first files submitted were probably just tests from researchers and geeks, some real malware was also found, like a Quasar RAT variant and a Ryuk ransomware variant.

It is possible for administrators to block those two certificates on their company’s systems, but it all depends on what software they are running.

The two leaked certificates are the following:

Name:  NVIDIA Corporation

Status:  This certificate or one of the certificates in the certificate chain is not time valid.

Issuer:  VeriSign Class 3 Code Signing 2010 CA

Valid From: 12:00 AM 09/02/2011

Valid To: 11:59 PM 09/01/2014

Valid Usage: Code Signing

Algorithm: sha1RSA

Thumbprint: 579AEC4489A2CA8A2A09DF5DC0323634BD8B16B7

Serial Number: 43 BB 43 7D 60 98 66 28 6D D8 39 E1 D0 03 09 F5

Name: NVIDIA Corporation

Status: This certificate or one of the certificates in the certificate chain is not time valid.

Issuer: VeriSign Class 3 Code Signing 2010 CA

Valid From: 12:00 AM 07/28/2015

Valid To: 11:59 PM 07/26/2018

Valid Usage: Code Signing

Algorithm: sha1RSA

Thumbprint: 30632EA310114105969D0BDA28FDCE267104754F

Serial Number: 14 78 1B C8 62 E8 DC 50 3A 55 93 46 F5 DC C5 18

What can be done against those certificates?

Users might use Windows Defender Application Control (WDAC) policies to control what Nvidia drivers can be loaded, but it is quite a tricky configuration process. Microsoft will probably provide user updates to revoke the stolen certificates, but it might be problematic, since some older legitimate Nvidia drivers are also signed with these certificates and might trigger errors.

What to do if data leaks from your company

Nvidia’s leak contains a lot of different types of data. The first step is of course to have all the users immediately change their password and add two-factor authentication (2FA), if not already deployed, as an additional security measure.

In the case of source code leak, one needs to urgently cut all access to the development platforms/servers so that a fraudster cannot abuse it, and check for the integrity of the servers.

If the code is leaked on GitHub or such a third-party entity, contact them to take it down as soon as possible.

Also, check and change all passwords, API keys and any kind of token that might be in use in the code. If a digital certificate leaks from your company, disable it as soon as possible.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.