Nvidia's hacked data is being actively used to disguise malware as legit files

In late February, the cyber gang calling itself Lapsus$ broke into Nvidia's internal network and managed to steal a lot of sensitive data, from hashed login credentials to critical trade secrets behind the company's chips. The hackers demanded Nvidia remove the lock on its newer GPUs that automatically slowed them down when mining cryptocurrency and was given until March 4 to comply — or Lapsus$ would release those trade secrets. The cybercriminals have started making good on their threats, and now the fallout from their data dump threatens to help malware avoid detection.

The stolen info included some of the cryptographic certificates Nvidia uses so users can verify that drivers and executable files for their GPUs are authentic. As Bleeping Computer points out, hackers are now using those pilfered certificates to mask a variety of malware. This means cyberattackers can make malicious programs appear like legit Nvidia software — and even though these are older, expired certificates, Windows will still load drivers signed with them.

Multiple types of malware have already been spotted masking themselves with these seemingly valid certificates, including a remote access trojan (RAT) called Quasar. Stratosphere Labs analyzed Quasar in 2019 and found — without naming a culprit — that it had been used in past cyberattacks against Ukraine. While Microsoft VP for OS Security and Enterprise David Weston tweeted that IT admins can configure defenses against the disguised malware, average users may need to be on their guard.