A group of hackers who recently hacked into systems belonging to the manufacturer of Nvidia graphics chips has published two certificates for signing the company’s code. The researchers warn that certificates can be used to sign malware at the kernel level and upload them to systems that have driver signature verification.
Nvidia confirmed last week that it had been the victim of an internal hack and said that customer information had not been compromised. Although hackers have made very strange demands, threatening to disclose confidential corporate data, if Nvidia does not unlock some of its most powerful video cards for cryptocurrency mining, ordinary users have nothing to worry about. Now we are witnessing one of the first consequences of hacking for end users: Nvidia GPU driver packages with malware hidden inside it.
Attackers could previously post links under the guise of drivers in the hope of installing viruses, Trojans and other unpleasant things on the user’s PC, but now the situation is more worrying. Hackers stole official Nvidia code signing certificates, a means by which users (and Microsoft) can verify the authenticity of a downloadable driver or program before installing it on a user’s computer.
The certificates were part of a large pool of stolen files, 1 TB in size and includes source code and API documentation for GPU drivers. Nvidia confirmed the theft and warned that hackers had taken “employee passwords and some confidential Nvidia information,” but did not confirm the size of the data leak.
Expired certificates (but still usable) have been compromised. Hackers are already using them to deliver remote access Trojans. Another example of using a fake Windows driver for signing was also noticed.