How can we help?
GPU producer NVIDIA has been breached, with approximately 1TB of data stolen.
Breach advisory service, HaveIBeenPwned, says more than 70,000 employee records – including email addresses and password hashes – have been leaked.
The extortion group, Lapsus$, claim to have had access to NVIDIA’s servers for a week, gaining access to “schematics, drivers, firmware etc…” and “documentation, private tools and SDKs” with plans to leak or sell the data if demands are not met. Rather than asking for cash, the demand is that NVIDIA open source their drivers and remove a feature that limits the use of GPUs in crypto mining.
Unusually, the group also claim that they are victims and claim that NVIDIA connected to their file server and attempted to destroy the stolen data.
Malicious actors can sign malware with NVIDIA code signing certificates.
Researchers have published a yara rule on GitHub that can detect newly-created files signed with the old certificate.
Containment, Mitigations & Remediations
Advice from David Weston, director of enterprise and OS security at Microsoft, is to configure Windows Defender Application Control to limit what NVIDIA drivers can be loaded.
Indicators of Compromise
Stolen certificates use these serial numbers
This leak will be of particular interest to cheat developers, as signed NVIDIA drivers will usually be allow-listed by game security systems.
T1588.003 – Code Signing Certificates