Skip to main content
banner image
venafi logo

Ransomware Group Steals Nvidia Code Signing Certificates: How to Protect Yourself

Ransomware Group Steals Nvidia Code Signing Certificates: How to Protect Yourself

March 9, 2022 | Brooke Crothers

At least two of Nvidia’s Windows code signing certificates have been compromised. As a result, bad actors could sign malicious code and infect Windows machines.

Fast, easy, secure code signing for enterprises.

The attack is reportedly part of a larger effort by hackers to force Nvidia to remove cryptomining limits from its GPUs (Graphics Processing Units).

The attackers—who call themselves Lapsus$stole 1TB of data including firmware, drivers, hardware schematics, email accounts and cryptographic hashes for more than 71,000 employees.

"We decided to help mining and gaming community," Lapsus$ said in choppy English (via ArsTechnica), harping on the removal of so-called LHR cryptomining limitations, which Nvidia announced last February.

"We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming," demanded Lapsus$.

Bad guys already taking advantage of breach

A post on Twitter indicated that malicious binaries had been signed with the stolen certificates and uploaded to VirusTotal to check if the antivirus scanners accepted it.

“Malicious actors can create, acquire, or steal code signing materials to sign their malware or tools,” said Pratik Savla, Senior Security Engineer at Venafi.

“Stolen code signing certificates can be used to bypass security policies that require signed code to execute on a system. They can also be used by malicious actors to mimic a legitimate company,” Savla added.

The Nvidia security breach isn’t unlike the one Opera suffered in 2013 and one that Adobe reported in 2012, Savla says, adding that it also indicates lateral movement, which is typical behavior once an attacker gains access to a network.

And Lapsus$, a new extortion group on the scene, may be just getting started. The group also leaked 190GB of confidential data they claim to be from Samsung Electronics. This comes about a week after the 1TB of data was stolen from Nvidia.

Expired certificates are ripe for abuse

Incidents like this shed light on the lack of security controls in the code signing process and problems that are unique to Windows.

Despite the fact that certificates have expired and should no longer be recognized, “Windows still allows them to be used for driver signing purposes,” according to this March 3 tweet from Zoom engineer Bill Demirkapi.

“One of the main issues is that revocations or expirations of certificates are not checked or enforced by all security mechanisms present in Windows, including the one that checks if loaded drivers are signed,” Savla said.

“Unfortunately, Windows users cannot fully rely on inbuilt protections and to make matters worse, many even still use EOL (End-of-Life) Windows versions in their environment,” Savla added.

Venafi experts know how important it is to treat code signing as one of the most critical business assets.

"For years, we’ve been preaching to our customers that code signing keys are like master keys to a kingdom that has locks that can never be changed,” said Eddie Glenn, Sr Product Marketing Manager at Venafi.

Glenn offers these guidelines:  

  • Private code signing keys should never leave an encrypted secure location, even when they are being accessed for a code signing operation. If they are in an encrypted, secure location they cannot be stolen
  • Access to private keys should be not only controlled, but also monitored every time they are used. That is, an irrefutable log should be maintained for every code signing operation that occurs, logging who used it, what code signing tool was used, what software was signed, computer machine used.
  • Access for the most critical code signing keys should require at least one additional approver, if not multiple, before it can even be accessed
  • Access to code signing keys should also be controlled by whitelisted parameters, such as computers/people/code signing tools/time of day/etc. to help limit misuse

Venafi CodeSign Protect provides the capabilities that helps customers do the above but without impacting their software developers (which is usually the reason why code signing keys are not secure to begin with).

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more