Saturday, May 6th 2023

Money Message Ransomware Group Uploads Stolen MSI Data to Dark Web

MSI suffered a massive data breach at the start of April and the Taiwanese electronics company promptly alerted its customers about the cyberattack on its "information systems." A few days later it emerged that a relatively young ransomware group "Money Message" was behind the hacking effort - these cybercriminals stated that they had infiltrated MSI's internal network. Gang members proceeded to acquire sensitive company files, database information and source code. At the time, Money Message demanded that MSI pay them a ransom of $4 million, with the added threat of stolen data getting leaked to the general public on the internet (in the event of MSI failing to pay up).

Money Message has this week claimed that MSI has refused to meet their demands - as a result, an upload of stolen data started on Thursday with files appearing on the group's own website, and spreading to the dark web soon after. Binarly, a cybersecurity firm, has since analyzed the leaked files and discovered the presence of many private code signing keys within the breached data dump. Alex Matrosov, Binarly's CEO states via Twitter: "Recently, MSI USA announced a significant data breach. The data has now been made public, revealing a vast number of private keys that could affect numerous devices. FW Image Signing Keys: 57 products (and) Intel Boot Guard BPM/KM Keys: 166 products." Binary has provided a list of affected MSI devices (gaming laptops & mobile workstations) on their GitHub page.
PC Magazine UK asked Matrosov for a few extra details, he then explained the significance of the private key leak: "The signing keys for firmware image allow an attacker to craft malicious firmware updates and it can be delivered through normal BIOS update processes with MSI update tools." Cybercriminals can create and sign malware disguised as MSI-related software, as well as fake and malicious firmware. Matrosov claims that customer-focused attacks could be delivered "as a second stage payload" through phishing attempts (email or website-based) - it is possible that anti-virus software will not flag these attacks due to the usage of official MSI signing keys. Binarly has also discovered that an Intel hardware security tool could be compromised by cybercriminals: "Digging deeper into the aftermath of the MSI USA data breach and its impact on the industry. Leaked Intel Boot Guard keys from MSI are affecting many different device vendors, including Intel, Lenovo, Supermicro SMCI, and many others industry-wide."
Matrosov's latest update on Twitter states: "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates."

Mark Ermolov, an independent researcher of Intel Security systems, also interjected with his findings yesterday: "It seems this leak affects not only Intel Boot Guard technology, but all OEM signing-based mechanisms in CSME, such as OEM unlock (Orange Unlock), ISH firmware, SMIP and others."
Sources: PC Mag UK, Binarly Twitter
Add your own comment

10 Comments on Money Message Ransomware Group Uploads Stolen MSI Data to Dark Web

#1
Solaris17
Super Dainty Moderator
T0@sthe then explained the significance of the private key leak:
In “theory” maybe. But MSI knew their stuff would go public if they didn’t comply. These keys are useless now.

The keys will be rotated, AV vendors will be alerted and all OEMs will need to resign using Intels new key. MSIs keys will be rotated as a whole.

The leak if you did want to reverse engineer will maybe be useful for literally /this/ point in time only.

The BIOS update suites will be updated downloads on OEM sites resigned.
Posted on Reply
#2
lemonadesoda
Solaris17In “theory” maybe. But MSI knew their stuff would go public if they didn’t comply. These keys are useless now.

The keys will be rotated, AV vendors will be alerted and all OEMs will need to resign using Intels new key. MSIs keys will be rotated as a whole.

The leak if you did want to reverse engineer will maybe be useful for literally /this/ point in time only.

The BIOS update suites will be updated downloads on OEM sites resigned.
Agreed. But all that takes time. There is a window of opportunity, or put another way a risk vector that will decrease over time, but exists /today/. And for 80% of joe public who dont even know what a firmware update is, or how to do it, let alone can be bothered to do it, that vector remains open.
Posted on Reply
#3
Solaris17
Super Dainty Moderator
lemonadesodathat vector remains open
sure. But that argument goes both ways. They arent going to download the FW update tool from some 3rd party if they werent doing to do it anyway right?

Besides, do it or not, update or no. I doubt this will affect them (consumers) anyway.

As for taking time? I doubt it. Within 24 hours of receiving the ransom letter MSI alerted Intel who then alerted partners to let them know private keys were stolen.

There were internal patches and new keys being pushed to OEMs before we even had the opportunity to know if we should care about this.

Its contractual. It wasnt just MSI data that was stolen, you bet your ass they were on the phone with Intel at the same time they were talking to police.
Posted on Reply
#6
eidairaman1
The Exiled Airman
First Gigabyte, now msi...
Posted on Reply
#7
Selaya
code signing is (worse than) snake oil
.
Posted on Reply
#8
P4-630
T0@stMatrosov's latest update on Twitter states: "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake.
@Solaris17 maybe a dumb question, or not, but does this affect my Z690 Gigabyte system as well?
So waiting for a BIOS update?...
Posted on Reply
#9
Solaris17
Super Dainty Moderator
P4-630Z690 Gigabyte system as well?
So waiting for a BIOS update?...
"affect" is a strong word in that I dont think this can be weaponized in a way that will affect consumers. Unless you are downloading files to flash your bios from random people that message you on FB marketplace.

But yes. While im sure they all rotated there keys it is upto the manufacturers themselves (if there good boys and girls) to go back and re-sign old BIOS'. They might chose to not even do that, opting instead to put a warning page like (only download software and bios from us).

Any new ones I would assume to be re-keyed though. Remember they are baked into the BIOS themselves, so unless there is an /update/ to your board they might not release an update with just a key change, again not that it would affect consumers.

If anything if you or anyone else uses things like what is it? Aourus manager? or MSI update, Asus armorcrate etc, there are probably new versions that will get rolled out so their verification algorithm can pass BIOS' with the new signature. So if you use such software I would keep an eye out.
Posted on Reply
#10
R-T-B
Selayacode signing is (worse than) snake oil
.
Wut?

It has uses and is hardly snake oil if good key security is enforced. Obviously mistakes happen. That doesn't mean it is useless.
Posted on Reply
Dec 20th, 2024 12:48 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts