Ransomware attack on MSI led to compromised Intel Boot Guard private keys
On April 7, 2023 MSI (Micro-Star International) released a statement confirming a cyberattack on part of its information systems. While the statement does not reveal a lot of tangible information, this snippet is important:
“MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.”
As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI fell victim to ransomware gang Money Message. Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US, and from various industries, including MSI.
The Money Message gang claimed to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.
Image courtesy of BleepingComputer
When the $4 million ransom demand was not met, Money Message began leaking the MSI data on its data leak site.
According to BleepingComputer, a Money Message operator said in a chat with an MSI agent:
“Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios.”
Researchers are now starting to unravel the significance of the stolen data.
The leaked data includes private keys, some of which appear to be Intel Boot Guard keys. Having the signing keys potentially allows an attacker to create fake firmware updates that would bypass Intel Boot Guard. Intel Boot Guard is a hardware-based technology intended to protect personal computers against executing fake UEFI (Unified Extensible Firmware Interface) firmware.
A bypass could provide an attacker with full access to a system, access secure data or use it for any number of malicious purposes. Boot Guard is a key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot. Secure Boot is an option in UEFI that allows you to make sure that your PC boots using only software that is trusted by the PC manufacturer.
Binarly compiled a list of 57 MSI PC systems which have had firmware keys leaked, and 166 systems which have had Intel Boot Guard BPM/KM keys leaked. Among them are household names like Lenovo and HP.
Update from vendor websites
Although no attacks of this kind have been found in the wild and Binarly, after a lengthy and detailed analysis, states that “the leaked Boot Guard keys are intended for debug building lines and most likely we will never see such devices in the wild,” the advice to obtain firmware/BIOS updates only from official vendor’s websites is solid.
Also watch out for phishing emails claiming that you need new firmware for whatever reason. They are likely from sources that are trying to trick you into installing malware. As a PC user there is not much you can do about this incident, but be prudent. We will keep you posted here in case there are any developments or more news becomes available.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.