At least two of Nvidia’s Windows code signing certificates have been compromised. As a result, bad actors could sign malicious code and infect Windows machines.
The attack is reportedly part of a larger effort by hackers to force Nvidia to remove cryptomining limits from its GPUs (Graphics Processing Units).
The attackers—who call themselves Lapsus$—stole 1TB of data including firmware, drivers, hardware schematics, email accounts and cryptographic hashes for more than 71,000 employees.
"We decided to help mining and gaming community," Lapsus$ said in choppy English (via ArsTechnica), harping on the removal of so-called LHR cryptomining limitations, which Nvidia announced last February.
"We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming," demanded Lapsus$.
Bad guys already taking advantage of breach
A post on Twitter indicated that malicious binaries had been signed with the stolen certificates and uploaded to VirusTotal to check if the antivirus scanners accepted it.
“Malicious actors can create, acquire, or steal code signing materials to sign their malware or tools,” said Pratik Savla, Senior Security Engineer at Venafi.
“Stolen code signing certificates can be used to bypass security policies that require signed code to execute on a system. They can also be used by malicious actors to mimic a legitimate company,” Savla added.
The Nvidia security breach isn’t unlike the one Opera suffered in 2013 and one that Adobe reported in 2012, Savla says, adding that it also indicates lateral movement, which is typical behavior once an attacker gains access to a network.
And Lapsus$, a new extortion group on the scene, may be just getting started. The group also leaked 190GB of confidential data they claim to be from Samsung Electronics. This comes about a week after the 1TB of data was stolen from Nvidia.
Expired certificates are ripe for abuse
Incidents like this shed light on the lack of security controls in the code signing process and problems that are unique to Windows.
Despite the fact that certificates have expired and should no longer be recognized, “Windows still allows them to be used for driver signing purposes,” according to this March 3 tweet from Zoom engineer Bill Demirkapi.
“One of the main issues is that revocations or expirations of certificates are not checked or enforced by all security mechanisms present in Windows, including the one that checks if loaded drivers are signed,” Savla said.
“Unfortunately, Windows users cannot fully rely on inbuilt protections and to make matters worse, many even still use EOL (End-of-Life) Windows versions in their environment,” Savla added.
Venafi experts know how important it is to treat code signing as one of the most critical business assets.
"For years, we’ve been preaching to our customers that code signing keys are like master keys to a kingdom that has locks that can never be changed,” said Eddie Glenn, Sr Product Marketing Manager at Venafi.
Glenn offers these guidelines:
- Private code signing keys should never leave an encrypted secure location, even when they are being accessed for a code signing operation. If they are in an encrypted, secure location they cannot be stolen
- Access to private keys should be not only controlled, but also monitored every time they are used. That is, an irrefutable log should be maintained for every code signing operation that occurs, logging who used it, what code signing tool was used, what software was signed, computer machine used.
- Access for the most critical code signing keys should require at least one additional approver, if not multiple, before it can even be accessed
- Access to code signing keys should also be controlled by whitelisted parameters, such as computers/people/code signing tools/time of day/etc. to help limit misuse
Venafi CodeSign Protect provides the capabilities that helps customers do the above but without impacting their software developers (which is usually the reason why code signing keys are not secure to begin with).