Stolen NVIDIA certificates are used to sign malware; don't let that happen to you

21 Mar 2022 | Jindřich Zechmeister

You may have recently heard of the NVIDIA hack and the theft of a terabyte of data that was posted on the Internet. During the hack, a code signing certificate with the private key was also stolen, which fraudsters now use to sign malicious code and spread malware. In this article, you will learn how to prevent such a theft effectively and easily.

A stolen certificate is used to spread malware

A well-known hardware manufacturer, NVIDIA, was hacked by a group called Lapsus$, and after a failed ransom demand, they released 1TB of stolen data. This does not directly harm other users, but unfortunately, the hack also involved stealing the Code Signing certificate, which NVIDIA used to sign drivers or programs.

The new certificate and private key holder could start signing any malicious code on behalf of NVIDIA, and it looked like it came from that manufacturer. This could cause considerable damage and infection among victims. Even though the certificates had already expired, Windows trusted them (if the signature has a timestamp from when the certificate was still valid, the certificate expiration does not affect the signed application).

This malware’s digital signature helps to increase the credibility of the code in the user's system and rightly creates the impression that the application actually comes from NVIDIA (it allows this authentication). In this case, however, by running the faulty application, your computer gets a virus. It is possible to effectively prevent such abuse, and you will learn about it in the next paragraph. Signing the code is useful, not only because of the proof of origin but also because no one can change the signed application. For example, if someone tried to change the application and added a malicious code there, the digital signature would cease to be valid. This is another aspect of protecting your customers.

The secure signing solution is a Code Signing EV certificate and the cloud

Code signing certificates should be properly secured; otherwise you gamble with your company’s good name. The stolen certificate will almost certainly appear in the wrong hands and will be misused to spread malware.

However, this incident can be prevented - NVIDA should have choosed the appropriate type of Code Signing certificate corresponding to its size and importance. We offer two secure signing solutions - Code Signing EV certificate and DigiCert ONE platform.

The Code Signing EV certificate is placed on the token, which must be inserted into the PC before signing, and you must enter the password for the token (to unlock the private key) when signing. If you do this incorrectly repeatedly, the token will be blocked and its contents will be deleted. It is impossible for an attacker to guess a sufficiently complex password in 5 attempts; if you do not give them the password on a golden tray (glued to the monitor), then there is no way to misuse the certificate on the token. In addition, they would need physical access to it.

DigiCert ONE is a modern platform that allows you to sign in the cloud. You do not have to have the certificate (and the private key) on your computer locally, which is more secure. We will be discussing this topic on the blog in the near future, and if you are interested in learning more now, please feel free to contact our support.

Are you used to signing applications traditionally? So don't be afraid to change it now!

For many years, attackers have been proving that signing applications with a locally stored certificate is not a good and secure process. If you have a Code Signing certificate stored in the certificate store, or even as a PFX file, change these habits immediately. With SSLmarket, you can easily achieve better security for signing applications. Just consult with us and we will help you with everything.

By protecting applications and code more securely, you not only protect your name, but especially your users! Once lost, trust is very difficult to regain. Consult with us and secure your applications today!

Source

  1. Bleepingcomputer: Malware now using NVIDIA's stolen code signing certificates

Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com