How Lapsus$ Uses Stolen Source Code to Disguise MalwareThe Ransomware Gang Has Leaked Source Code From Nvidia, Samsung
Ransomware gang Lapsus$ is tricking users into installing malware by disguising it as verified and signed certificates, which are believed to have been stolen from the Nvidia and Samsung source code leaks.
Researchers at security firm Check Point say that by having possession and control over source codes, Lapsus$ can create a massive supply chain reaction, which can lead to numerous organizations and machines being infected and harmed.
A legitimate company's certificate means that malware can be passed off as legitimate software coming from a company. For instance, in this case, many users will already have Nvidia drivers installed on their systems to support their graphics cards, meaning that Nvidia’s brand recognition will lead unsuspecting users to trust any additional software seemingly produced by the company.
"Part of the NVidia leak were indeed two stolen code-signing certificates used by NVidia developers to sign their drivers and executables. According to different sources, attackers have already started using these code signing certificates to sign malware so it will appear to be dependable and go through Windows' screening to be loaded and executed," the researchers at Check Point say.
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHd— Bill Demirkapi (@BillDemirkapi) March 3, 2022
Malware could be written to specifically attack a particular organization to gather information and then act as a command-and-control server, says Andrew Whaley, senior technical director at Promon, a Norwegian application security company.
"Malware can be designed to gather network information, credentials and passwords which will then be passed on to bad actors. Later it could then receive commands allowing somebody to take control of that PC and use it to attack the wider network using the stolen credentials," Whaley says.
How Does It Works?
A code-signing certificate enables a digital signature on executables and drivers to allow them and mark them as cleared. To exploit this process, attackers disguise files and executables as legitimate and bypass security, allowing malware to be uploaded to Windows, the researchers say.
By stealing code-signing certificates, threat actors can use them to make malware appear trusted, making it much harder for protection systems to identify malicious activity, says Peter Draper, EMEA director at security firm Gurucul.
"It's for instances such as this that multilayered security approaches become essential. Technologies such as behavior analytics can identify and respond to suspicious behavior even if it comes from seemingly 'trusted' files being detonated by unsuspecting users," Draper says. "Having the ability to identify anomalous and risky behavior, traffic and device activity and responding to that activity automatically means that security teams can still protect against damage even if malware does get through initial security controls."
Whaley says that if the signing certificate has expired, the attacker cannot timestamp the signed malware by validating .exe/.dll files within the timestamp server, because the signing certificate hopefully has been revoked.
Also, Windows cannot validate non-timestamped binaries and will therefore display a warning to the user, Whaley says.
"It is unclear how enforced the warning is on the different OS versions, but we can expect it will be very strict on Windows 10 and above. Most antivirus software will also detect the non-timestamped Nvidia binaries and block them. All kernel drivers on Windows 10 build number 1607 and above need to be countersigned by Microsoft. This is so that Microsoft can block countersigning drivers signed with an expired signing certificate. Windows Vista to Win 8.1 will require valid signatures," Whaley says.
Who Is Lapsus$?
The Lapsus$ group first came to public attention in December 2021 following a ransomware attack on websites owned by Brazil's Ministry of Health. The group claimed to have stolen and subsequently deleted around 50TB of data from the ministry's systems.
Subsequently, Lapsus$ claimed responsibility for attacks seemingly targeted at other Brazilian or Portuguese-speaking organizations, such as Impresa, Claro, Embratel, NET and Localiza.
"The group's recent attacks against Nvidia and Samsung suggest an expansion of their targeting scope and interests, likely emboldened by the success of previous operations," says Xueyin Peh, senior cyber threat intelligence analyst at Digital Shadows. "Although cyber extortion is dominated by ransomware attacks, it is unclear if Lapsus$ is a ransomware group," he says.
Peh says in most cyber extortion attacks, ransomware groups deploy their ransomware on victims' systems to encrypt their files and render them inaccessible. Victims who want to regain access to their data are coerced into paying the ransom.
Also, these groups have now started using the double-extortion method, in which attackers exfiltrate victims' files and threaten to leak them online to further strong-arm them into acceding to the ransom payment, Peh says.
"As it is not known if Lapsus$ deploys ransomware, the group more likely falls within the category of a data extortion group," according to Peh. "The motivation of data extortion and ransomware groups is likely to be financial. Although their methods show some divergence, these two types of threat actors are ultimately after a financial payout."
Peh says this is likely the case for Lapsus$, which left contact details on victims' systems, probably to establish communication for negotiation over ransom payment. It is also possible, he says, that Lapsus$ conducted attacks to force it targets into taking specific actions.
In the Nvidia attack, Lapsus$ demanded that the firm remove the Lite Hash rate, or LHR, from graphics cards to make them more conducive for cryptocurrency mining (see: How Lapsus$ Data Leak May Affect Nvidia and Its Customers).
"Although the group did not explicitly solicit money, their focus on cryptocurrency mining also implies that Lapsus$ is mainly financially motivated," Peh says.
Whaley recommends that users install software from trusted sources and says that "third-party download sites - even if they appear to have associated names - should be avoided."
Pratik Selva, senior security engineer at Venafi, warns that if an organization does not properly secure the process and the infrastructure for managing code-signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.
"This incident sheds light on the lack of security controls or enforcement for the code-signing process as well as the infrastructure supporting it. One of the main issues is that revocations or expirations of certificates are not checked or enforced by all security mechanisms present in Windows, including the one that checks if loaded drivers are signed. As a result, Windows users cannot fully rely on built-in protections, and to make matters worse, many even still use more vulnerable end-of-life Windows versions," he says.
Selva shares the following preventative measures for every organization:
- The infrastructure implementing code signing should only do code signing.
- Nonessential software should not be installed on such infrastructure. It should be treated as a potential attacker.
- In an organization’s internal system classification, the code-signing infrastructure should be classified under critical status.
- The code-signing infrastructure should be kept updated and patched.
- Any risk assessment conducted internally should include code-signing infrastructure.
- Manual certificate verification is recommended, especially for executables that require elevated privileges.