A threat group called LAPSUS$ claims to have stolen 1 Terabyte of data from Nvidia, including the private key for a software signing certificate. The threat actors released a torrent containing some of the data on February 28th. On March 1st, malware using the signing certificate started showing up in the wild.
The signing key can be used to generate a signing certificate for malware while having it look like it is coming from Nvidia as a legitimate driver update. Microsoft, for backward compatibility reasons, accepts expired signing certificates. Some malware has already been seen in the wild and reported to different public-facing malware analysis sites. Microsoft Defender and some other Antivirus (AV) engines are detecting the malware in the shared samples.
Coretek is informing customers of the issue and providing recommendations to confirm that antivirus is updated, and Windows Defender has a policy set to block specific Nvidia signed drivers. Coretek customers should reach out to their CSM if they have questions about their antivirus and security tools.
You should confirm that your antivirus is updated.
WDAC in Windows 10 and 11 IT admins can set a policy using the Policy Wizard to deny and allow Nvidia signed software as needed.
If you are a Coretek customer, have any questions about Coretek remediation actions or your support agreements with Coretek, or are a visitor who would like more information, please get in touch here.