Stolen Nvidia certificates used to hide malware in driver downloads

Last week Nvidia confirmed that it had been the victim of an internal hack, though it claimed no customer information was compromised. While the hackers have made some very strange demands, threatening to release sensitive corporate data if Nvidia doesn’t unlock some of its most powerful graphics cards for cryptocurrency mining, regular users didn’t need to worry much. Today we’re seeing one of the first effects of the hack on end-users: Nvidia GPU driver packages with malware hidden inside.

While it was always possible for malefactors to host links pretending to be drivers in the hopes of installing viruses, trojans, and other nasty stuff on a user’s PC, this situation is more concerning. The hackers appear to have leaked Nvidia’s official code signing certificates, a means by which users (and Microsoft) can verify that a downloaded program comes from the publisher it says it’s from.

That’s allowing files containing a host of popular malware suites to be posted and downloaded, bypassing Windows Defender’s built-in executable verification and slipping past anti-virus software. BleepingComputer reports that two now-expired (but still usable) verification codes have been compromised and used to deliver remote access trojans. Another example, using the Nvidia verification to sign a fake Windows driver, was also spotted.

While it’s possible to block the installation of packages with the expired codes using Windows Defender, it’s an advanced technique that’s probably only of interest to your company’s sysadmin. For regular users looking for the latest graphics card drivers (or any driver, for that matter), the advice is the same as always: be careful to only download it from the official source—the Nvidia website or your installation of GeForce Experience, in this case. https://www.pcworld.com/article/620181/hackers-use-stolen-nvidia-certificates-to-hide-malware-in-driver-downloads.html