Nvidia Source Code and Certificates Leaked Online - ThreatWire
Added 2022-03-09 14:47:41 +0000 UTCBy Shannon Morse, ThreatWire
To follow up on last week’s story regarding Nvidia, they have officially confirmed that data was stolen in the cyberattack they experienced back in February. On the 23rd, they did state publicly that they’d detected a cybersecurity incident, but would not confirm if data was stolen. While Nvidia was silent on the matter, a hacker group called Lapsus claimed they were the attackers and they started to leak data publicly, while telling Nvidia their demands, including a request that Nvidia remove lhr limitations from their 30 series GPUs. They threatened to leak proprietary information about Nvidia’s tools and products, along with employee credentials.
Lapsus did leak about 20 GB worth of data, claiming it had 1 TB total. So now we have confirmation but more has happened since then.
Nvidia has confirmed that about 71,000 employees credentials were stolen. That includes email addresses and NTLM password hashes, many of which have already been cracked and are being spread. This database has been added to Have I Been Pwned as well.
As of the third, Nvidia’s source code for their DLSS technology has also been leaked online. This is the Deep Learning Super Sampling rendering tech that increases graphics performance. Lapsus didn’t end there. They’ve upgraded their demands, now they want Nvidia to also make their GPU drivers open source. And if Nvidia doesn’t do so, Lapsus threatened to leak all files for their silicon chipset - aka trade secrets. Nvidia has declined to comment on whether or not they would respond to these demands.
Lapsus leaked two code signing certificates, which are digital signatures for executables and drivers that tell the operating system and the user that a file's owner is legit and verified. This is also used to tell if a file has been tampered with before you install it. The ones that Lapsus leaked are expired, but Windows still allows for them to be used for simple signing of drivers which means they’ll still load in the OS and look like they come from Nvidia. As such, security researchers started discovering that those stolen certificates are being used to sign malware, RATs, backdoors, and tools like Cobalt Strike beacons and Mimikatz.
Windows will likely need to revoke those stolen certificates but this may block legit drivers from being installed, so this is still an open problem. As of time of recording we haven’t seen additional leaks but I highly doubt Lapsus is done. I’ll keep y’all updated whenever we see news surface on this story.
Nvidia Leaks:
https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html
https://twitter.com/cyb3rops/status/1499514240008437762
