When the LAPSUS$ ransomware group broke into the network of Nvidia, the data they stole included two code signing certificates which are now being used to sign malware to help it bypass security defences.

In order to prove that an application or driver is genuine and really does come from the named developer, a digital certificate is used to sign the code.  This digital signature is validated by the operating system before allowing the app to run or the driver to be loaded.  On Microsoft Windows systems, the Secure Boot technology is designed to protect the system from loading drivers that do not have a valid digital signature.

Unlike the TLS certificates that protect HTTPS traffic on web servers, the certificates used to validate signed applications cannot necessarily be checked in real time as the computer may not be online when the application or driver is first run.  As a result, code-signing is considered valid as long as the digital certificate was valid and not expired on the date the digital certificate was used to sign the code – even if that was many years ago and the certificate has since expired.  A timestamp is included to record when the digital signature was created. As a result, the certificates stolen from Nvidia should not be useful to cyber criminals because both of them are expired and should not be valid for creating new signatures.  However, there is an exception in the Secure Boot system which allows for certificates created before 29 July 2015 to be used to sign code without including a timestamp – and this includes both of the expired Nvidia certificates.

This means the digital signatures are considered valid by Windows today.  As a result, currently the only defences against malware signed with the stolen Nvidia certs is to use anti-malware software that can recognise the specific malware strains as they are discovered or Windows Defender Application Control can also be used to block and allow specific drivers.