Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Stolen Nvidia Certificates Used To Hide Malware in Driver Downloads (pcworld.com) 32

Last week Nvidia confirmed that it had been the victim of an internal hack, though it claimed no customer information was compromised. Now we're seeing one of the first effects of the hack on end-users: Nvidia GPU driver packages with malware hidden inside. PCWorld: While it was always possible for malefactors to host links pretending to be drivers in the hopes of installing viruses, trojans, and other nasty stuff on a user's PC, this situation is more concerning. The hackers appear to have leaked Nvidia's official code signing certificates, a means by which users (and Microsoft) can verify that a downloaded program comes from the publisher it says it's from. That's allowing files containing a host of popular malware suites to be posted and downloaded, bypassing Windows Defender's built-in executable verification and slipping past anti-virus software. BleepingComputer reports that two now-expired (but still usable) verification codes have been compromised and used to deliver remote access trojans. Another example, using the Nvidia verification to sign a fake Windows driver, was also spotted.
This discussion has been archived. No new comments can be posted.

Stolen Nvidia Certificates Used To Hide Malware in Driver Downloads

Comments Filter:
  • If you download your drivers from some random email, you get what you deserve. Only install drivers from your OS' repository or direct download from the maker of your device.
    • by La Gris ( 531858 )

      If you download your drivers from some random email, you get what you deserve. Only install drivers from your OS' repository or direct download from the maker of your device.

      I'd caution direct download from the maker of your device when said maker has been compromised. How long has Nvidia been compromised before they noticed? Did code silent slept-in with backdoors? Were the silicion chips compromised at fab level?

    • Comment removed based on user account deletion
      • ssl will complain loudly in any modern browser if you try to use expired certs though. The browser ssl mechanism is very familiar to users and exceptionally well-supported and maintained (since it's the keystone of everything), both of which matter a lot.
      • by bws111 ( 1216812 )

        Certificates are public, they can't be 'leaked'. What could be leaked, if you have poor security processes, are the private keys. And if you manage to leak not only the private key for your signing server, but also the private key to your web server, you have some really poor security.

      • While it might be technically possible to take over the manufacturer's website and embed your malware in their downloads, or compromise Microsoft to put them in Windows online driver repo, or compromise Google to make your malware site a top result instead of an ad, that's not a scenario likely to play out in the real world and 99.9999% of infections from this will be from poor security practices. Probably more 9s but Slashdot's lame lameness filter only allowed 4.
  • by Ol Olsoc ( 1175323 ) on Wednesday March 09, 2022 @05:34PM (#62341947)
    Drivers are one of the biggest malware delivery systems out there. And have been for years.
  • These should never have been on a network connected computer in the clear. You always air gap or use a dedicated hardware signing device to store your signing keys. That's why most of the time you have to schedule signing of your driver/cert/code so that the people who have access to your keys can get together and authorize the signing. How bad was Nvidia's security?
    • Let me correct your post, it was out of order...:

      How bad was Nvidia's security?

      These should never have been on a network connected computer in the clear. You always air gap or use a dedicated hardware signing device to store your signing keys. That's why most of the time you have to schedule signing of your driver/cert/code so that the people who have access to your keys can get together and authorize the signing.

    • "Air gap" machines cannot serve web traffic, nor can they sign and publish software. Storing the private keys only on an airgapped repository makes the keys of no practical use to the owner.

      • You don't sign every copy as it's downloaded. You sign the single copy of the executable you're distributing. Yes that means transferring a file back and forth between an air gap, but it's much, much harder to compromise it by getting the offline system infected. Dev group puts it on a USB drive, plugs it into the computer with the signing key, signs it, copies the file from the USB drive to the web server.
        • In decades of work, I've never seen a commercial or open source company require that kind of air gap for build services. Dev groups aren't generally willing to put up with that, and try to fire the person who insists they go through that kind of extra work.

          • by bws111 ( 1216812 )

            Here is what our process is:

            1) Dev does a build, and generates hashes of all things to be signed
            2) QC does testing, verifying that the hashes of what they are testing match the build
            3) After sign-off, two security officers take the files to be signed to the air-gapped signing server
            4) Both security officers verify the hashes
            5) Both security officers insert their smart cards into the signing server (log on to HSM)
            6) HSM generates signatures
            7) Signatures are applied to files

            I guess in your 'decades of work' y

  • These hackers are boring and lame. They never got control of NVidia's servers that send out updates via GeForce Experience, so most of their efforts are absolutely moot. They're just a bunch of amateur losers.

  • by bustinbrains ( 6800166 ) on Wednesday March 09, 2022 @06:40PM (#62342179)

    All of the EV code signing certificate providers out there *require* the use of a cryptographic USB key/dongle or a HSM whereby accessing the private key for a certificate is impossible. Looks like Nvidia violated the terms of use of their EV code signing certs and thus breached their contract. Whoever manages their certificate issuance program (DigiCert?) should immediately revoke every one of Nvidia's code signing certs and then double down on not reissuing them until they pass an expensive and strict audit annually from here on out and also all certificate providers should blacklist Nvidia globally.

    • Mod up. The circle of trust was broken, and the guilty/responsible party is not saying how. Never mind the fact that graphics chips have DMA access to the crown jewels, and the quality of drivers remains shithouse. AV software, for now must pander to MS's wishes.
  • If a certificate is known to be comprised, isn't that why they are added to a revocation list, so they can no longer be used?

There is very little future in being right when your boss is wrong.

Working...