Nvidia recently lost control of a number of certificates that are used by their developers to sign code. A disturbing aspect of this is the potential for threat actors to sign malicious code within seemingly valid driver packages.
In February, Video GPU manufacturing giant, Nvidia experienced an attack early February, where 1TB of data was exfiltrated. The content included IP, Schematics, Firmware, and perhaps most concerning, Digital Certificates. Even though these certificates expired in 2014 and 2018, Windows still allows authorised installation of driver packages signed with these certificates. Threat actors can therefore utilise the stolen certificates to make malicious programs appear to be official Nvidia downloads.
This means that Windows Defender’s executable verification routine will be bypassed, and malicious software may slip through anti-virus software. Examples of Remote Access Trojans, Cobalt Strike Beacon, and Mimikatz, have been identified in the last seven days. Once downloaded, and accepted as valid, these applications can be opened, and malicious software inadvertently installed.
What can we do?
The digitally signed applications with malicious content are generally spread through Google via fake driver download sites. Therefore, the easiest form of protection is to download the official driver directly from the Nvidia driver download page. Avoid downloading drivers (well, any software actually,) from suspicious websites. Expect a security patch from Microsoft in the very near future that will revoke these certificates.
Windows software protocols allow developers and distributors to use X.509 code-signing certificates to digitally sign software they produce. The digital signature uses the certificate to verify the origin of the signature in the following process.
- The certificate is obtained from a Certificate Authority (CA) which verifies the validity of the certificate.
- The CA obtains unique identifying information form the software publisher.
- The information is verified by the CA and then the certificate is issued.
- The certificate includes a public key and a private key, known as a key pair.
- To embed a signature in a file, or to sign the catalogue file of a driver package, first a cryptographic hash is generated. Cryptographic hashes are unique thumbprints of the file which verify the integrity of the file contents. If the file contents change at all, then the hash will change as well.
- The signing process encrypts this unique hash value with the certificate’s private key.
- The process adds information regarding the CA and the software publisher.
- Windows then extract the CA and publisher information and decrypts the hash with the public key.
- The download is the re-hashed, and the values are compared.
In an ideal world, the hashes will match, validating the files, and the CA / publisher information will be validated, authenticating the download.
However, if the file has been signed with stolen credentials, then the malicious data will seem to be valid and trustworthy.
Hashes and hashing
We will briefly look at MD5 hashing techniques. If we have a quick look at the legacy Linux driver downloads available on the Nvidia website, we can see a set of MD5 Sum values. MD5 hash values are always the same number of HEX characters, regardless of the size of the content. Each MD5 sum hash value is unique for each file, with a few exceptions known as ‘collisions’.
Instead of downloading a large driver file, use notepad to create a file with three characters ‘abc’ and save. (In this example I saved the file as abc.txt.)
Use the command (in the Windows command utility): “certutil -hashfile abc.txt MD5” and the output will be 900150983cd24fb0d6963f7d28e17f72. You will need to navigate to the directory where you saved your ‘abc.txt’.
MD5sum has been deprecated, SHA-1 and SHA-256 are the cryptographic standards at the moment.
The command line call to check SHA-1 is “certutil -hashfile abc.txt SHA1” and to check SHA-256: “certutil -hashfile abc.txt SHA256” The output will be a9993e36 4706816a ba3e2571 7850c26c 9cd0d89d (SHA1) and BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD (SHA256)
Generating hash values and comparing the results to the expected output is good practice, before installing any downloaded software.
Too much information?
Forming a partnership with a Managed Security Provider (MSP)is the best way to effectively mitigate threats such as this. Thanks to security research, information such as the stolen certificate serial numbers have been added to Operational Threat Intelligence reports. This information will now disseminate to Anti-Virus and other download filters. This information transfer is transparent, happening in the background, at all times.
FYI the serial numbers are:
- Perform a risk assessment
- Implement and test your backup recovery plan
- Enable MFA whenever possible
Take care, stay safe.
PhD, MISDF (1st Class), MBA
Senior Cyber Security Engineer