bleepingcomputer[.]com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/?s=09
NVIDIA reportedly had 1TB of data stolen in a cyber-attack that included 2 expired code signing certificates. Though expired, they still work -- Windows will allow their use for driver installation. Microsoft is unlikely to start blocking those certificates in Windows because that would mean you couldn't install legitimate NVIDIA drivers.
After Lapsus$ leaked NVIDIA's code-signing certificates, security researchers quickly found that the certificates were being used to sign malware and other tools used by threat actors.According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.
For example, one threat actor used the certificate to sign a Quasar remote access trojan [VirusTotal], while someone else used the certificate to sign a Windows driver [VirusTotal].
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:43BB437D609866286DD839E1D00309F5
14781bc862e8dc503a559346f5dcc518Some of the files were likely uploaded to VirusTotal by security researchers but others appear to be used by threat actors for malware campaigns [1, 2].
While both stolen NVIDIA certificates are expired, Windows will still allow a driver signed with the certificates to be loaded in the operating system.
Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.