• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Money Message Ransomware Group Apparently Behind MSI Breach

GFreeman

News Editor
Staff member
Joined
Mar 6, 2023
Messages
1,659 (2.41/day)
It appears that MSI's data breach is more significant than originally thought and according to recent information, a new ransomware group known as "Money Message" was behind the attack, stealing databases and source code from MSI's network.

According to a report over from the BleepingComputer, Money Message claims to have stolen 1.5 TB of data from MSI's systems, including CTMS and ERP databases, software source code, private keys, and BIOS firmware. Money Message is threatening to publish these allegedly stolen documents and asking a ransom payment of $4 million. MSI has already warned its customers about the cyberattack, has started the "relevant defense mechanisms," and has been gradually restoring its systems back to normal operations.



View at TechPowerUp Main Site | Source
 
Joined
Mar 21, 2021
Messages
5,247 (3.74/day)
Location
Colorado, U.S.A.
System Name CyberPowerPC ET8070
Processor Intel Core i5-10400F
Motherboard Gigabyte B460M DS3H AC-Y1
Memory 2 x Crucial Ballistix 8GB DDR4-3000
Video Card(s) MSI Nvidia GeForce GTX 1660 Super
Storage Boot: Intel OPTANE SSD P1600X Series 118GB M.2 PCIE
Display(s) Dell P2416D (2560 x 1440)
Power Supply EVGA 500W1 (modified to have two bridge rectifiers)
Software Windows 11 Home
We are annoyed that Microsoft expect us to upgrade to more secure PCs for Windows 11 (at least I am),
but one can see the need.
 

dgianstefani

TPU Proofreader
Staff member
Joined
Dec 29, 2017
Messages
5,195 (2.01/day)
Location
Swansea, Wales
System Name Silent/X1 Yoga
Processor Ryzen 9800X3D @ 5.575ghz all core 1.24 V, Thermal Grizzly AM5 High Performance Heatspreader/1185 G7
Motherboard ASUS ROG Strix X670E-I, chipset fans replaced with Noctua A14x25 G2
Cooling Optimus Block, HWLabs Copper 240/40 + 240/30, D5/Res, 4x Noctua A12x25, 1x A14G2, Mayhems Ultra Pure
Memory 64 GB Dominator Titanium White 6000 MT, 130 ns tRFC, active cooled
Video Card(s) RTX 3080 Ti Founders Edition, Conductonaut Extreme, 18 W/mK MinusPad Extreme, Corsair XG7 Waterblock
Storage Intel Optane DC P1600X 118 GB, Samsung 990 Pro 2 TB
Display(s) 32" 240 Hz 1440p Samsung G7, 31.5" 165 Hz 1440p LG NanoIPS Ultragear, MX900 dual gas VESA mount
Case Sliger SM570 CNC Aluminium 13-Litre, 3D printed feet, custom front, LINKUP Ultra PCIe 4.0 x16 White
Audio Device(s) Audeze Maxwell Ultraviolet w/upgrade pads & LCD headband, Galaxy Buds 3 Pro, Razer Nommo Pro
Power Supply SF1000 Plat, full transparent custom cables, Sentinel Pro 1500 Online Double Conversion UPS w/Noctua
Mouse Razer Viper V3 Pro 8 KHz Mercury White & Pulsar Supergrip tape, Razer Atlas, Razer Strider Chroma
Keyboard Wooting 60HE+ module, TOFU-R CNC Alu/Brass, SS Prismcaps W+Jellykey, LekkerV2 mod, TLabs Leath/Suede
Software Windows 11 IoT Enterprise LTSC 24H2
Benchmark Scores Legendary
We are annoyed that Microsoft expect us to upgrade to more secure PCs for Windows 11 (at least I am),
but one can see the need.
It's almost never the PC and almost always the user.
 
Joined
Dec 5, 2013
Messages
662 (0.16/day)
Location
UK
We are annoyed that Microsoft expect us to upgrade to more secure PCs for Windows 11 (at least I am), but one can see the need.
It's not consumer Windows 7, 8, 10, 11, etc, where these hacks succeed though, it's always Windows Server, and adding all the TPM in the world to average Joe's PC's (where the data isn't even stored) wouldn't have done a single thing to stop this or any other corporate mega-breach. As with most Microsoft 'security', the things they make the most noise over in the press (TPM, Secure Boot, ultra-fringe Spectre / Meltdown vectors) is usually "feel-good window dressing" whilst the stuff that matters in the real-world (phishing, social engineering, the multitude of authorised back-door services enabled by default, eg, Remote Registry, Remote Management, a Windows firewall that defaults to allowing anything and everything to make unrestricted outgoing connections, etc) is exactly the stuff that Windows does little to nothing to stop.
 
Joined
Dec 14, 2019
Messages
1,213 (0.65/day)
Location
Loose in space
System Name "The black one in the dining room" / "The Latest One"
Processor Intel Xeon E5 2699 V4 22c/44t / i7 14700K @5.8GHz
Motherboard Asus X99 Deluxe / ASRock Z790 Taichi
Cooling Arctic Liquid Freezer II 240 w/4 Silverstone FM121 fans / Arctic LF II 280 w Silverstone FHP141's
Memory 64GB G.Skill Ripjaws V DDR4 2400 (8x8) / 96GB G.Skill Trident Z5 DDR5 6400
Video Card(s) EVGA RTX 1080 Ti FTW3 / Asus Tuff OC 4090 24GB
Storage Samsung 970 Evo Plus, 1TB Samsung 860, 4 Western Digital 2TB / 2TB Solidigm P44 Pro & more.
Display(s) 43" Samsung 8000 series 4K / 65" Hisense U8N 4K
Case Modded Corsair Carbide 500R / Modded Corsair Graphite 780 T
Audio Device(s) Asus Xonar Essence STX/ Asus Xonar Essence STX II
Power Supply Corsair AX1200i / Seasonic Prime GX-1300
Mouse Logitech Performance MX, Microsoft Intellimouse Optical 3.0
Keyboard Logitech K750 Solar, Logitech K800
Software Win 10 Enterprise LTSC 2021 IoT / Win 11 Enterprise IoT LTSC 24H2
Benchmark Scores https://www.passmark.com/baselines/V11/display.php?id=202122048229
Joined
Mar 18, 2015
Messages
182 (0.05/day)
We are annoyed that Microsoft expect us to upgrade to more secure PCs for Windows 11 (at least I am),
but one can see the need.
A breach of MSI's servers has nothing to do with consumer PCs or Windows 11. Equally, when it comes to the fallout from it, nothing is going to save you if you willingly flash a compromised UEFI image to your motherboard, for example. Not to mention that Microsoft can't be trusted with security in the first place. Malware has made it through their review process and been signed by them on numerous occasions.
 
Joined
Jul 5, 2013
Messages
28,627 (6.79/day)
We are annoyed that Microsoft expect us to upgrade to more secure PCs for Windows 11 (at least I am),
but one can see the need.
If you're going to comment on something, make sure it is contextually accurate. MSI's breach has NOTHING to do with Windows 11. At all. On any level. This has to do with a SERVER level intrusion, not a desktop level intrusion.

And even if your comment was contextually proper, you'd still be incorrect. Software security and hardware security are two separate things that CAN be interconnected, but don't NEED to be interconnected. The push for new hardware is all about coding laziness(on the part of microsoft) and computer sales. Nothing more.

Not to mention that Microsoft can't be trusted with security in the first place.
This! And partly because of...
Malware has made it through their review process and been signed by them on numerous occasions.
...this!

it's always Windows Server
MSI's servers are unlikely to be Windows Server based. But even if they are, 99% of all breaches are due to some form of incorrectly configured security settings along with a measure of social engineering. It's almost never a purely technological exploit.
 
Last edited:
Joined
Jan 29, 2023
Messages
1,543 (2.13/day)
Location
France
System Name KLM
Processor 7800X3D
Motherboard B-650E-E Strix
Cooling Arctic Cooling III 280
Memory 16x2 Fury Renegade 6000-32
Video Card(s) 4070-ti PNY
Storage 500+512+8+8+2+1+1+2+256+8+512+2
Display(s) VA 32" 4K@60 - OLED 27" 2K@240
Case 4000D Airflow
Audio Device(s) Edifier 1280Ts
Power Supply Shift 1000
Mouse 502 Hero
Keyboard K68
Software EMDB
Benchmark Scores 0>1000
The hacker says he will reveal all what has been stolen on internet in five days, but if he has source code... why would he erase all that 'precious' data even if he gets payed ?
 
Joined
Nov 5, 2019
Messages
182 (0.10/day)
Location
Romania
System Name HELL->o!
Processor Ryzen 7 5800X3D
Motherboard MSI MEG X570S Ace Max
Cooling BeQuiet! Pure Loop 2 FX 280
Memory 2x16GB G.Skill RipjawsV 3600CL14 [14-14-14-34]@1.456V
Video Card(s) 6800 XT Red Devil
Storage 4x M.2; 3x Sata SSD
Display(s) MSI Optix MAG274QRF-QD & MSI MP251
Case BeQuiet! Dark Base PRO 901
Audio Device(s) JBL 4305p & JBL 4329p | EPOS H3PRO Hybrid
Power Supply Seasonic Prime TX-1000
Mouse ReDragon M711 FPS
Keyboard ReDragon Broadsword
Software Win10 Pro 64
Benchmark Scores Nope
The hacker says he will reveal all what has been stolen on internet in five days, but if he has source code... why would he erase all that 'precious' data even if he gets payed ?
Because they want to be paid the next time they breach someone else.
 
Joined
Jan 29, 2023
Messages
1,543 (2.13/day)
Location
France
System Name KLM
Processor 7800X3D
Motherboard B-650E-E Strix
Cooling Arctic Cooling III 280
Memory 16x2 Fury Renegade 6000-32
Video Card(s) 4070-ti PNY
Storage 500+512+8+8+2+1+1+2+256+8+512+2
Display(s) VA 32" 4K@60 - OLED 27" 2K@240
Case 4000D Airflow
Audio Device(s) Edifier 1280Ts
Power Supply Shift 1000
Mouse 502 Hero
Keyboard K68
Software EMDB
Benchmark Scores 0>1000
Because they want to be paid the next time they breach someone else.

But, who will know they gave/sold/kept data to anybody ?.. to be double payed.
 
Joined
Dec 14, 2019
Messages
1,213 (0.65/day)
Location
Loose in space
System Name "The black one in the dining room" / "The Latest One"
Processor Intel Xeon E5 2699 V4 22c/44t / i7 14700K @5.8GHz
Motherboard Asus X99 Deluxe / ASRock Z790 Taichi
Cooling Arctic Liquid Freezer II 240 w/4 Silverstone FM121 fans / Arctic LF II 280 w Silverstone FHP141's
Memory 64GB G.Skill Ripjaws V DDR4 2400 (8x8) / 96GB G.Skill Trident Z5 DDR5 6400
Video Card(s) EVGA RTX 1080 Ti FTW3 / Asus Tuff OC 4090 24GB
Storage Samsung 970 Evo Plus, 1TB Samsung 860, 4 Western Digital 2TB / 2TB Solidigm P44 Pro & more.
Display(s) 43" Samsung 8000 series 4K / 65" Hisense U8N 4K
Case Modded Corsair Carbide 500R / Modded Corsair Graphite 780 T
Audio Device(s) Asus Xonar Essence STX/ Asus Xonar Essence STX II
Power Supply Corsair AX1200i / Seasonic Prime GX-1300
Mouse Logitech Performance MX, Microsoft Intellimouse Optical 3.0
Keyboard Logitech K750 Solar, Logitech K800
Software Win 10 Enterprise LTSC 2021 IoT / Win 11 Enterprise IoT LTSC 24H2
Benchmark Scores https://www.passmark.com/baselines/V11/display.php?id=202122048229
From all I've read from various sources it appears that human error is 100% to blame in this instance. I'm on my phone at the moment so I can't post the links. No hardware or software could have prevented this breach; a MSI employee opening a malicious PDF file is the main suspected cause.
 
Joined
Nov 5, 2019
Messages
182 (0.10/day)
Location
Romania
System Name HELL->o!
Processor Ryzen 7 5800X3D
Motherboard MSI MEG X570S Ace Max
Cooling BeQuiet! Pure Loop 2 FX 280
Memory 2x16GB G.Skill RipjawsV 3600CL14 [14-14-14-34]@1.456V
Video Card(s) 6800 XT Red Devil
Storage 4x M.2; 3x Sata SSD
Display(s) MSI Optix MAG274QRF-QD & MSI MP251
Case BeQuiet! Dark Base PRO 901
Audio Device(s) JBL 4305p & JBL 4329p | EPOS H3PRO Hybrid
Power Supply Seasonic Prime TX-1000
Mouse ReDragon M711 FPS
Keyboard ReDragon Broadsword
Software Win10 Pro 64
Benchmark Scores Nope
Well if they do they guarantee nobody in The Scene will ever be paid again.
Companies are reluctant to pay groups anyway, sort of like a "not negociating with terrorits"policy
so double playing would not help anyone.
 
Joined
Jun 18, 2021
Messages
2,615 (1.99/day)
The hacker says he will reveal all what has been stolen on internet in five days, but if he has source code... why would he erase all that 'precious' data even if he gets payed ?

That's why paying is never worth it, at least long term. Better bite the bullet now and start working on mitigation.

If you give a mouse a cookie, he's going to ask for a glass of milk
 
Joined
Jul 5, 2013
Messages
28,627 (6.79/day)
From all I've read from various sources it appears that human error is 100% to blame in this instance. I'm on my phone at the moment so I can't post the links. No hardware or software could have prevented this breach; a MSI employee opening a malicious PDF file is the main suspected cause.
And that is social engineering at work.
 
Joined
Jun 18, 2021
Messages
2,615 (1.99/day)
From all I've read from various sources it appears that human error is 100% to blame in this instance. I'm on my phone at the moment so I can't post the links. No hardware or software could have prevented this breach; a MSI employee opening a malicious PDF file is the main suspected cause.

I mean, yes, but also what are email scanners doing? That vulnerability has been explored for a while (it even took down the LinusTechTips youtube channel recently), how are email scanners still looking at this files and not triggering all kinds of red flags?
 
Joined
Aug 20, 2007
Messages
21,632 (3.40/day)
Location
Olympia, WA
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory 64GB (2x 32GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
it's always Windows Server,
lolno. These were almost certainly *nix boxes on the server end. Windows server market share is pretty abysmal.

I mean, yes, but also what are email scanners doing? That vulnerability has been explored for a while (it even took down the LinusTechTips youtube channel recently), how are email scanners still looking at this files and not triggering all kinds of red flags?
You are probably looking at a a.) a new pdf vulnerability that they don't know about yet (god there are so many) or b.) human incompetence (no AV scanner).
 
Joined
Sep 17, 2019
Messages
502 (0.26/day)
Never give your information to anyone willingly. This is a perfect example of why you do NOT register your components. Because I already know first hand by way of association of friends, who worked in the security industry that this sh!t is a lot more common than being reported. All of your information that you give to a corporation will be hacked.

Because eventually they WILL cut corners. And IT is one of the places they WILL cut.
 
Joined
Dec 14, 2019
Messages
1,213 (0.65/day)
Location
Loose in space
System Name "The black one in the dining room" / "The Latest One"
Processor Intel Xeon E5 2699 V4 22c/44t / i7 14700K @5.8GHz
Motherboard Asus X99 Deluxe / ASRock Z790 Taichi
Cooling Arctic Liquid Freezer II 240 w/4 Silverstone FM121 fans / Arctic LF II 280 w Silverstone FHP141's
Memory 64GB G.Skill Ripjaws V DDR4 2400 (8x8) / 96GB G.Skill Trident Z5 DDR5 6400
Video Card(s) EVGA RTX 1080 Ti FTW3 / Asus Tuff OC 4090 24GB
Storage Samsung 970 Evo Plus, 1TB Samsung 860, 4 Western Digital 2TB / 2TB Solidigm P44 Pro & more.
Display(s) 43" Samsung 8000 series 4K / 65" Hisense U8N 4K
Case Modded Corsair Carbide 500R / Modded Corsair Graphite 780 T
Audio Device(s) Asus Xonar Essence STX/ Asus Xonar Essence STX II
Power Supply Corsair AX1200i / Seasonic Prime GX-1300
Mouse Logitech Performance MX, Microsoft Intellimouse Optical 3.0
Keyboard Logitech K750 Solar, Logitech K800
Software Win 10 Enterprise LTSC 2021 IoT / Win 11 Enterprise IoT LTSC 24H2
Benchmark Scores https://www.passmark.com/baselines/V11/display.php?id=202122048229
Never give your information to anyone willingly. This is a perfect example of why you do NOT register your components. Because I already know first hand by way of association of friends, who worked in the security industry that this sh!t is a lot more common than being reported. All of your information that you give to a corporation will be hacked.

Because eventually they WILL cut corners. And IT is one of the places they WILL cut.
That's what "burner" accounts are for. I never give out real information when registering products. I do make sure I can warranty them as gifts though and even then through other burner accounts. My real e-mail gets no spam, my burner accounts are flooded with it. Every few months I delete everything in them to keep the accounts active. I also use a VPN at all times along with a hardware firewall I built years ago.
 
Joined
Sep 17, 2019
Messages
502 (0.26/day)
That's what "burner" accounts are for. I never give out real information when registering products. I do make sure I can warranty them as gifts though and even then through other burner accounts. My real e-mail gets no spam, my burner accounts are flooded with it. Every few months I delete everything in them to keep the accounts active. I also use a VPN at all times along with a hardware firewall I built years ago.
The average gerbil does not know anything about "Burner" accounts. If they did, this type of theft that is in the hundreds of billions of dollars per year would be downgraded.

And regardless of all of the VPN's and Fire walls and what not (though it does help a great deal)...

The best way to keep your information is to not have it online at all. Secondly back everything in a regular manner.

Again CLOSED SYSTEMS for your important things. This is why I still use snail mail for payment of important things.

In my case as I do backups up my system, If I get tagged with ransomware, I just hot swap it out with a HD+OS that has my back up (once a week) and frag the infected drive to oblivion.

Again as state before my rig has the ICY DOCK system. So 6 different OS are on my rig at the moment.

I'm also playing around with Zorin Linux and Gnome Box for virtualization as Linux has less issues than Windows.

The lesson is to not willingly give out your personal information to anyone and make it harder for thieves to get your info so they can to make your life miserable.




I maybe Old...
I maybe Cranky...
But Grandpa Charlie...

Does not sing The Blues...
:peace:
 
Joined
Aug 14, 2013
Messages
2,373 (0.57/day)
System Name boomer--->zoomer not your typical millenial build
Processor i5-760 @ 3.8ghz + turbo ~goes wayyyyyyyyy fast cuz turboooooz~
Motherboard P55-GD80 ~best motherboard ever designed~
Cooling NH-D15 ~double stack thot twerk all day~
Memory 16GB Crucial Ballistix LP ~memory gone AWOL~
Video Card(s) MSI GTX 970 ~*~GOLDEN EDITION~*~ RAWRRRRRR
Storage 500GB Samsung 850 Evo (OS X, *nix), 128GB Samsung 840 Pro (W10 Pro), 1TB SpinPoint F3 ~best in class
Display(s) ASUS VW246H ~best 24" you've seen *FULL HD* *1O80PP* *SLAPS*~
Case FT02-W ~the W stands for white but it's brushed aluminum except for the disgusting ODD bays; *cries*
Audio Device(s) A LOT
Power Supply 850W EVGA SuperNova G2 ~hot fire like champagne~
Mouse CM Spawn ~cmcz R c00l seth mcfarlane darawss~
Keyboard CM QF Rapid - Browns ~fastrrr kees for fstr teens~
Software integrated into the chassis
Benchmark Scores 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
Idk, burner accounts are actually a built in feature on Apple devices. Not sure why it’s not more ubiquitous on other platforms, or how many Apple users actually use it, but it ought to be a standard feature in web browsers.
 
Top