At the start of March 2022, Nvidia revealed that its ‘proprietary information’ is being leaked by hackers. The company says it became aware of the breach on February 23rd, and that it does “not anticipate any disruption to [its] business or our ability to serve our customers as a result of the incident” (as quoted by Bloomberg).
Yet the hackers – Lapsus$ – are threatening to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, according to The Verge.
The Nvidia hack keeps getting more complicated. More recently researchers found examples of malicious files signed with the stolen certificates meaning that the drivers could be used to sign kernel-level malware and load it on systems that have driver signature verification.
Looking into the incident for Digital Journal is cybersecurity evangelist and digital certificate expert Alon Nachmany, Field CISO of AppViewX.
Nachmany begins by explaining the technical background to the attack and the inherent system weakness: “Code signing certificates are used for securing software similar to how a TLS certificate is used for securing internet communication, and the issuing authority of certificates can be the same for both codesigning and TLS certificates. A pair of public and private keys are used to encrypt or hash the software or the communication path.”
He adds: “The root Certificate Authority (CA) assigns a public key to a digital certificate after validating the authenticity of the requesting party which is a developer in code signing” was a key issue.
This allows for so-termed ‘man-in-the-middle attacks’, which Nachmany finds are “quite common in unsecured website traffic but a similar concept does exist in the distribution of the software as well.”
In terms of how the cyberattack happens, Nachmany explains: “A malicious distributor can tamper the software and insert malware into it which users can download and install on their computers. Code signing is especially used to prevent such scenarios in case of software distribution.”
Returning to the matter at hand, Nachmany outlines the key events: “In order to mitigate the current threat to Nvidia, their users and as a result, Nvidia’s reputation, Nvidia must reissue code signing certificates for any code, drivers and software that has been signed using the compromised keys. From there, Nvidia must revoke the stolen keys, so they cannot be used. Nvidia will also have to replace all of the software that was signed with the old keys that had been revoked with the new signed ones in the public domain (their website) to ensure that their users can access the updated versions.”
Such attacks are consequential, says Nachmany : “This could cause a major disruption to enterprise users as some of the drivers and software may reside in internally managed repositories to those enterprises.”
There are lessons that need to be drawn from the event, which Nachmany describes: “The IT teams in those companies will have to learn, ex post facto, which drivers and software need to be replaced and ensure they update them. Since there is no real way to know, until you test each one, this might cause delays to projects and deadlines that some enterprises might be trying to meet. This fully depends on the skill of the IT team, but this is just another hurdle for them to tackle.”