NVIDIA breached, code signing certificates stolen

Home / Threat Intelligence bulletins / NVIDIA breached, code signing certificates stolen

Overview

GPU producer NVIDIA has been breached, with approximately 1TB of data stolen.
Breach advisory service, HaveIBeenPwned, says more than 70,000 employee records – including email addresses and password hashes – have been leaked.

The extortion group, Lapsus$, claim to have had access to NVIDIA’s servers for a week, gaining access to “schematics, drivers, firmware etc…” and “documentation, private tools and SDKs” with plans to leak or sell the data if demands are not met. Rather than asking for cash, the demand is that NVIDIA open source their drivers and remove a feature that limits the use of GPUs in crypto mining.

Unusually, the group also claim that they are victims and claim that NVIDIA connected to their file server and attempted to destroy the stolen data.

Impact

Malicious actors can sign malware with NVIDIA code signing certificates.

Vulnerability Detection

Researchers have published a yara rule on GitHub that can detect newly-created files signed with the old certificate.

Containment, Mitigations & Remediations

Advice from David Weston, director of enterprise and OS security at Microsoft, is to configure Windows Defender Application Control to limit what NVIDIA drivers can be loaded.

Indicators of Compromise

Stolen certificates use these serial numbers

43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518

Threat Landscape

This leak will be of particular interest to cheat developers, as signed NVIDIA drivers will usually be allow-listed by game security systems.

Mitre Methodologies

T1588.003 – Code Signing Certificates

Further Information

Malware now using NVIDIA’s stolen code signing certificates

Understand Windows Defender Application Control (WDAC) policy rules and file rules