• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Money Message Ransomware Group Uploads Stolen MSI Data to Dark Web

T0@st

News Editor
Joined
Mar 7, 2023
Messages
2,077 (3.33/day)
Location
South East, UK
MSI suffered a massive data breach at the start of April and the Taiwanese electronics company promptly alerted its customers about the cyberattack on its "information systems." A few days later it emerged that a relatively young ransomware group "Money Message" was behind the hacking effort - these cybercriminals stated that they had infiltrated MSI's internal network. Gang members proceeded to acquire sensitive company files, database information and source code. At the time, Money Message demanded that MSI pay them a ransom of $4 million, with the added threat of stolen data getting leaked to the general public on the internet (in the event of MSI failing to pay up).

Money Message has this week claimed that MSI has refused to meet their demands - as a result, an upload of stolen data started on Thursday with files appearing on the group's own website, and spreading to the dark web soon after. Binarly, a cybersecurity firm, has since analyzed the leaked files and discovered the presence of many private code signing keys within the breached data dump. Alex Matrosov, Binarly's CEO states via Twitter: "Recently, MSI USA announced a significant data breach. The data has now been made public, revealing a vast number of private keys that could affect numerous devices. FW Image Signing Keys: 57 products (and) Intel Boot Guard BPM/KM Keys: 166 products." Binary has provided a list of affected MSI devices (gaming laptops & mobile workstations) on their GitHub page.



PC Magazine UK asked Matrosov for a few extra details, he then explained the significance of the private key leak: "The signing keys for firmware image allow an attacker to craft malicious firmware updates and it can be delivered through normal BIOS update processes with MSI update tools." Cybercriminals can create and sign malware disguised as MSI-related software, as well as fake and malicious firmware. Matrosov claims that customer-focused attacks could be delivered "as a second stage payload" through phishing attempts (email or website-based) - it is possible that anti-virus software will not flag these attacks due to the usage of official MSI signing keys. Binarly has also discovered that an Intel hardware security tool could be compromised by cybercriminals: "Digging deeper into the aftermath of the MSI USA data breach and its impact on the industry. Leaked Intel Boot Guard keys from MSI are affecting many different device vendors, including Intel, Lenovo, Supermicro SMCI, and many others industry-wide."



Matrosov's latest update on Twitter states: "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates."

Mark Ermolov, an independent researcher of Intel Security systems, also interjected with his findings yesterday: "It seems this leak affects not only Intel Boot Guard technology, but all OEM signing-based mechanisms in CSME, such as OEM unlock (Orange Unlock), ISH firmware, SMIP and others."

View at TechPowerUp Main Site | Source
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,913 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
he then explained the significance of the private key leak:
In “theory” maybe. But MSI knew their stuff would go public if they didn’t comply. These keys are useless now.

The keys will be rotated, AV vendors will be alerted and all OEMs will need to resign using Intels new key. MSIs keys will be rotated as a whole.

The leak if you did want to reverse engineer will maybe be useful for literally /this/ point in time only.

The BIOS update suites will be updated downloads on OEM sites resigned.
 
Last edited:
Joined
Aug 30, 2006
Messages
7,221 (1.08/day)
System Name ICE-QUAD // ICE-CRUNCH
Processor Q6600 // 2x Xeon 5472
Memory 2GB DDR // 8GB FB-DIMM
Video Card(s) HD3850-AGP // FireGL 3400
Display(s) 2 x Samsung 204Ts = 3200x1200
Audio Device(s) Audigy 2
Software Windows Server 2003 R2 as a Workstation now migrated to W10 with regrets.
In “theory” maybe. But MSI knew their stuff would go public if they didn’t comply. These keys are useless now.

The keys will be rotated, AV vendors will be alerted and all OEMs will need to resign using Intels new key. MSIs keys will be rotated as a whole.

The leak if you did want to reverse engineer will maybe be useful for literally /this/ point in time only.

The BIOS update suites will be updated downloads on OEM sites resigned.
Agreed. But all that takes time. There is a window of opportunity, or put another way a risk vector that will decrease over time, but exists /today/. And for 80% of joe public who dont even know what a firmware update is, or how to do it, let alone can be bothered to do it, that vector remains open.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,913 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
that vector remains open

sure. But that argument goes both ways. They arent going to download the FW update tool from some 3rd party if they werent doing to do it anyway right?

Besides, do it or not, update or no. I doubt this will affect them (consumers) anyway.

As for taking time? I doubt it. Within 24 hours of receiving the ransom letter MSI alerted Intel who then alerted partners to let them know private keys were stolen.

There were internal patches and new keys being pushed to OEMs before we even had the opportunity to know if we should care about this.

Its contractual. It wasnt just MSI data that was stolen, you bet your ass they were on the phone with Intel at the same time they were talking to police.
 
Joined
Dec 30, 2010
Messages
2,198 (0.43/day)
They arent going to download the FW update tool from some 3rd party if they werent doing to do it anyway right?


It's so easy.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,913 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.

It's so easy.

context capt. We are literally talking about the people that dont do this anyway.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
42,078 (6.62/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
First Gigabyte, now msi...
 
Joined
Aug 4, 2020
Messages
1,612 (1.03/day)
Location
::1
code signing is (worse than) snake oil
.
 
Joined
Jan 5, 2006
Messages
18,584 (2.70/day)
System Name AlderLake
Processor Intel i7 12700K P-Cores @ 5Ghz
Motherboard Gigabyte Z690 Aorus Master
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory 32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s) MSI RTX 2070 Super Gaming X Trio
Storage Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p
Case Be quiet! Silent Base 600 - Window
Audio Device(s) Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply Seasonic Focus Plus Gold 750W
Mouse Logitech MX Anywhere 2 Laser wireless
Keyboard RAPOO E9270P Black 5GHz wireless
Software Windows 11
Benchmark Scores Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock
Matrosov's latest update on Twitter states: "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake.

@Solaris17 maybe a dumb question, or not, but does this affect my Z690 Gigabyte system as well?
So waiting for a BIOS update?...
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,913 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
Z690 Gigabyte system as well?
So waiting for a BIOS update?...

"affect" is a strong word in that I dont think this can be weaponized in a way that will affect consumers. Unless you are downloading files to flash your bios from random people that message you on FB marketplace.

But yes. While im sure they all rotated there keys it is upto the manufacturers themselves (if there good boys and girls) to go back and re-sign old BIOS'. They might chose to not even do that, opting instead to put a warning page like (only download software and bios from us).

Any new ones I would assume to be re-keyed though. Remember they are baked into the BIOS themselves, so unless there is an /update/ to your board they might not release an update with just a key change, again not that it would affect consumers.

If anything if you or anyone else uses things like what is it? Aourus manager? or MSI update, Asus armorcrate etc, there are probably new versions that will get rolled out so their verification algorithm can pass BIOS' with the new signature. So if you use such software I would keep an eye out.
 
Joined
Aug 20, 2007
Messages
21,446 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
code signing is (worse than) snake oil
.
Wut?

It has uses and is hardly snake oil if good key security is enforced. Obviously mistakes happen. That doesn't mean it is useless.
 
Top