Files stolen in last month’s massive MSI hack are starting to proliferate on the dark web. One of his more worrying things found in the digital loot is his OEM private key from Intel. MSI would have used this to sign firmware/BIOS updates to pass the Intel Boot Guard validation check. Hackers can use this key to sign malicious BIOS, firmware, and apps. This looks like the official MSI release of him.
After being hacked last month, MSI urge customers You can only get firmware/BIOS updates from official websites. A well-known PC, component and peripheral company was threatened by a ransomware group called Money Message. The extortionists apparently stole 1.5 TB of data, including various source code files, private keys, and tools for developing firmware. According to reports, Money Message was demanding over $4 million to get the entire data back into his MSI. It’s been over a month and MSI seems not to have paid. So we are now looking at the fallout.
Intel Boot Guard ensures your PC can only run verified apps before booting.and white paper On ‘below-the-OS-security (PDF)’, Intel proudly talks about their BIOS Guard, Boot Guard, and Firmware Guard technologies. Boot Guard is “a key component of hardware-based boot integrity that satisfies Microsoft Windows requirements for UEFI Secure Boot.” Unfortunately, it is not a useful “guard” for a wide range of MSI systems.
Tweet author binary (Supply Chain Security Platform) and its founder Alex Matrosov do a good job of explaining the dangers posed by exposing boot guard keys and other data in MSI carriers. The security expert suggests that many other device vendors, including Intel, Lenovo and Supermicro, are affected by his MSI leak. The GitHub page linked by Binarly lists 57 of his MSI PC systems with compromised firmware keys and 166 systems with compromised Intel Boot Guard BPM/KM keys.
Looking through the list of affected machines, we see all the familiar MSI series including Sword, Stealth, Creator, Prestige, Modern, Cyborg, Raider and Titan. Owners of these systems with Intel Core 11th Gen Tiger Lake CPUs and newer should strictly follow the updates on the MSI site only.
In addition to Boot Guard concerns, hackers can trick users into visiting fake MSI sites or downloading fake MSI apps. These apps can now be signed and appear to truly come from an MSI, so they can run without triggering the AV.
This leak is certainly confusing and it is not clear if the leaked keys can be revoked or what the next steps will be from those involved. I haven’t seen any official response from MSI or Intel regarding the files that are Avoid checking for stolen files on the dark web or other sources as they may be laced with malware.
