As apart of the February 23rd ransomware attack on Nvidia by the Lapsus$ group, two Nvidia code-signing certificates were stolen and being used to sign Malware. The stolen code-signing certificates are expired, however they’re still recognized by Windows. This would allow drivers signed with the stolen codes to be loaded in the operating system. Below are the serial numbers used by the stolen certificates:
- 43BB437D609866286DD839E1D00309F5
- 14781bc862e8dc503a559346f5dcc518
Windows Defender Application Control Policies can be used to help mitigate this threat. For more information please see the following link: https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/