To download the malware, a LAPSUS $ hacker group steals Nvidia code signing credentials.

Marakesh, March. 8. (Morocco-News) –

There is a group of hackers who call themselves LAPSUS $ Stolen electronic signature certificates Nvidia Developers Access the computer hardware and download the malware.

The code signing certificate is a digital certificate that identifies the developer of a company Sign the executable files Conductors before publicly distributing to the public.

With this document, users can verify the origin, ownership and authenticity of the original file. Knowing that it is not corrupted by an external agent, they can safely download it to their operating system.

Drivers found in the Microsoft kernel – this is the core of the operating system – must be code signed, otherwise, The operating system does not allow the file to be opened.

So, this group of hackers stole the code signing certificates to introduce “malware”. Pretend to be secure files Allows malicious drivers to be downloaded on Windows, PC Gamer explained.

The origin of this code certificate theft happened a few days ago on Nvidia Suffered from ransomware attack, The company itself confirmed. The team accessed their servers for a week, obtained administrative permissions, and extracted at least 1TB of data.

Following the theft, LAPSUS $ threatened Nvidia to share its “software” and “firmware” data if it did not remove the mining performance limit on its RTX 30-Series GPUs.

Since Nvidia has not succumbed to these threats, The attackers leaked code signing certificates, 71,000 employee IDs, company DLSS source code and some next-generation GeForce GPU names.

According to Tech Power Up, these certificates are now being used to create new types of malware that appear to be safe for Windows computers.

In fact, some of the leaked code signing certificates Expired in 2014 and 2018. However, on systems with this operating system, they are listed as still valid for signing in to drivers and downloading files.

Among the malicious files detected by the antivirus vendor is a variant of Quasar, a remote access Trojan (RAT) that appears to be signed with Nvidia certificates.

This site Works in the background A group of attackers with remote access to a computer can manipulate the computer and steal encrypted data.

Other stolen certificates have been used to sign “malware”. Cobalt-Strike, A computer navigation tool, and open source utility Mimicots, According to Bleeping Computer.

Meanwhile, cyber researchers have recovered two serial numbers stolen by cybercriminals Kevin Beaumont and Will Torman, namely 43BB437D609866286DDD839E1D00309F5 and 14781bc862e8dc543a55593546f.

Both codes Expired Nvidia signatures Because Windows still recognizes them as valid, attackers can bypass system security.

To prevent this “malware” from integrating into Windows, Microsoft’s Vice President and Director of Enterprise Security and Operating Systems, David WestonAdvised the directors to reconsider Windows Defender application control systems.

You must formulate a policy with the guide and include a denial rule. [para estos códigos] Or approve specific versions of Nvidia if needed, “he said. Via Twitter.

Works on both WDAC Policies 10-11, with no hardware requirements up to the home SKU, despite some misinformation I have seen, this should be your first choice. Create a policy using the wizard and then add a denial rule or allow specific Nvidia versions if necessary.

– David Weston (DWIZZZLE) (dwizzleMSFT) March 3, 2022

Recall that this weekend the same group of cybercriminals claimed to have stolen Samsung’s inside information. More precisely, 190 GB dataHe shared through a telegram channel.

According to these cyber criminals, this extortion involves information about biometric authentication systems or capabilities. Ignore security settings Korean company phones.

For its part, Samsung Has ensured unauthorized access to its systems It also exposed the company’s inside information, including the source code for Galaxy phones. He also promised to strengthen security already in place to prevent this from happening.