How to Mitigate Risk from Abused Stolen Nvidia Driver

Mar 11, 2022

A threat group called LAPSUS$ claims to have stolen 1 Terabyte of data from Nvidia, including the private key for a software signing certificate. The threat actors released a torrent containing some of the data on February 28th. On March 1st, malware using the signing certificate started showing up in the wild.

Threat Summary 

The signing key can be used to generate a signing certificate for malware while having it look like it is coming from Nvidia as a legitimate driver update. Microsoft, for backward compatibility reasons, accepts expired signing certificates. Some malware has already been seen in the wild and reported to different public-facing malware analysis sites. Microsoft Defender and some other Antivirus (AV) engines are detecting the malware in the shared samples.

What Coretek is Doing for Customers

Coretek is informing customers of the issue and providing recommendations to confirm that antivirus is updated, and Windows Defender has a policy set to block specific Nvidia signed drivers. Coretek customers should reach out to their CSM if they have questions about their antivirus and security tools.

Coretek Recommendations

Confirm that Antivirus has the latest malware definitions

You should confirm that your antivirus is updated.

Create a deny policy in Windows Defender Application Control (WDAC)

WDAC in Windows 10 and 11 IT admins can set a policy using the Policy Wizard to deny and allow Nvidia signed software as needed.

References and Additional Resources

If you are a Coretek customer, have any questions about Coretek remediation actions or your support agreements with Coretek, or are a visitor who would like more information, please get in touch here.


Start a conversation with our team today!

Privacy Policy
Copyright © 2023 Coretek Services | Website by NYN Website Design + Marketing | Powered by Web OS