MSI’s Firmware, Intel Boot Guard Private Keys Leaked

Cyber Security Threat Summary:
“The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it. In the wake of the breach, the company urged “users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.” The Money Message group now says that MSI decided not to pay the asked-for ransom, so they started releasing the stolen data. Binarly, a cybersecurity company specializing in firmware supply chain security, has analyzed the leaked source code and found private code signing keys for firmware images used on 57 MSI products, and private signing keys for Intel Boot Guard used on 116 MSI products, (HelpNetSecurity, 2023).”

Security Officer Comments:
Intel Boot Guard prevents the computer from running firmware/ UEFI images not signed with the original equipment manufacturer’s digital signature. The corresponding public key is fused into the system’s chipset by the manufacturer. MSI’s previous warning to customers about getting firmware/BIOS updates only from its official website, the company is worried that attackers could compile malicious updates and sign them with the stolen keys. But attackers could also sign other malicious payloads with them, effectively foiling antivirus solutions. Leaked Intel OEM private Key Manifest (KM) and Boot Policy Manifest (BPM) keys could be used to sign malicious firmware images so they could pass Intel Boot Guard’s verification.

Suggested Corrections:
MSI has still not officially commented the findings.

Use encryption to protect the image during transmission and storage. This can prevent unauthorized access to the image and help prevent tampering with the image. It is also important to keep the bootloader and operating system up to date with the latest security patches to address any known vulnerabilities that could be exploited by attackers. Regular security audits and testing can also help identify any security weaknesses and ensure that the mitigation measures are effective.

Link:
https://www.helpnetsecurity.com/2023/05/08/msi-private-keys-leaked/