Venafi warns of malware in Nvidia drivers

BehavioSec veröffentlicht vier neue Editionen der BehavioSense-Plattform

Misuse of code signing certificates

By Pratik Selva, Sr. Security Engineer at Venafi

The recent security breach at Nvidia, which involved certificate abuse, is eerily similar to that of Opera in 2013 and Adobe in 2012. If companies do not properly secure the process and infrastructure for managing code signing certificates, both the likelihood of abuse and the impact of compromise are very high. The Nvidia incident also indicates the appearance of lateral Movement, which can be expected as soon as an attacker gains access to a network.

Rootkits were not made public in this case, but such compromises can be achieved by rootkits, such as DirtyMoe, which use different APT groups. DirtyMoe uses a driver signed with a revoked certificate, which can be seamlessly loaded into the Windows kernel.

This incident highlights the lack of security controls and enforcement of the code signing process, as well as the infrastructure that supports it. One of the main problems is that revoked or expired certificates are not checked or enforced by all security mechanisms present in Windows, including the mechanism that checks whether loaded drivers are signed. As a result, Windows users cannot fully rely on the built-in protection mechanisms, and to make matters worse, many use even more vulnerable EOL (end-of-life) versions of Windows.

Every company should consider these preventive measures:

  • The infrastructure that implements code signing should only perform code signing.
  • No additional, non-essential software should be installed on such an infrastructure. Any additional software should be considered as a potential attack vector that can be abused.
  • In the internal system classification of an organization, the code signing infrastructure should be classified with the status “critical”.
  • The code signing infrastructure should always be kept up to date and patched.
  • Any internal risk assessment/assessment should include the company’s code signing infrastructure.

When it comes to certificate verification, manual certificate verification is a recommended addition to the process, especially in cases of executables that require elevated privileges.

React JS Development | Java Development Outsourcing Provider

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: