Hackers using stolen Nvidia certificates to sign malware

The recent breach of Nvidia's corporate network has resulted in the posting of valid software certificates that are now being used to spread malware in the wild.

Hackers who breached the network of graphics card giant Nvidia leaked a cache of pilfered data that includes valid code-signing certificates, which are currently being abused in the wild.

Multiple security researchers reported that they have collected samples of suspicious software payloads that use at least two of Nvidia's digital certificates. In a tweet Friday, threat analyst Mehmet Ergene observed several malicious files being signed with one of the Nvidia certificates.

The certificates were apparently part of a recent data payload that was released by criminal hackers associated with the Lapsus$ ransomware crew. The group said it had broken into Nvidia's corporate network and obtained a massive cache of internal data.

While one of the security certificates is not recent, reportedly dating back to 2014, it remains valid for Windows systems. This means attackers can use the certificate to make their malware payloads appear to be valid software updates from the GPU giant.

Nvidia did not respond to a request for comment on the release of the certificates.

Researchers have posted Yara rules that administrators can use to detect and block the malicious downloads, but many end users could still be vulnerable to being served malware payloads they believe to be Nvidia graphics card firmware and software updates.

Nvidia has maintained that the network breach did not result in any disruption to its day-to-day business and does not anticipate that to change.

"On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources," Nvidia said in a statement earlier this week. "Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement."

Meanwhile, the Lapsus$ hackers threatened to release more of the data they stole from Nvidia, including technical details about planned GPU designs and upcoming graphics card platforms. Central to the group's demands is that Nvidia make its graphics card drivers available as open source projects -- something that would better allow developers to optimize the hardware and add new capabilities.

In particular, the hacking crew wants Nvidia to remove its Lite Hash Rate (LHR) restrictions that throttle the ability of GPUs to perform the equations needed to mine cryptocurrencies. Nvidia instituted LHR as a way to lower mining purchases of graphics cards intended for the gaming market, which created a massive product shortage.

Dig Deeper on Threats and vulnerabilities