Hackers publish MSI private keys, enabling signed malware
Be extra careful when downloading MSI firmware updates and other softwareBy Daniel Sims
Alert: Owners of MSI motherboards, laptops, and other devices should take extra caution when downloading firmware updates and other software from the company, as it could be disguised malware. Hackers recently published the company's private keys, which could let malicious actors sign their code as if it came from MSI.
Security researchers have confirmed that private keys for MSI products and Intel Boot Guard are loose in the wild. Hackers could use the keys to sign malware under the guise of official MSI firmware. Intel Boot Guard is a critical security check for when computers first start up, and the leak could let bad actors bypass it.
Researchers at Binarly said the leaked keys affect dozens of products from several companies, including Intel, Lenovo, Supermicro, and others. See the group's GitHub page for a complete list. Binarly tweeted that it will hunt for specific examples of infected firmware to let users know what to avoid.
When updating any affected devices, downloading directly from MSI's website is the safest option. Users should be suspicious of emails and other messages purportedly coming from MSI.
ï¿½"ï¸ÂDigging deeper into the aftermath of the @msiUSA data breach and its impact on the industry.– BINARLYï¿½"ï¿½ (@binarly_io) May 5, 2023
ï¿½"ï¿½Leaked Intel BootGuard keys from MSI are affecting many different device vendors, including @Intel , @Lenovo, @Supermicro_SMCI, and many others industry-wide.
ï¿½"ï¿½#FwHunt is on! https://t.co/NuPIUJQUgr pic.twitter.com/ZB8XKj33Hv
Be careful when searching for MSI, as hackers could game Google's search rankings to distribute fraudulent firmware through fake websites. Checking URLs for oddities is always a good practice. A company's Twitter account or Wikipedia page is usually a more reliable source for trustworthy website links. Attacks delivered through other vectors could also be more dangerous than usual because malware masquerading under MSI keys can easily avoid detection from antivirus and other security systems.
Hackers hit MSI with a significant cyberattack last month. While the company didn't confirm that it was ransomware, the ransomware gang Money Message was likely behind the incident. Money Message claimed it extracted around 1.5 terabytes of data after infiltrating MSI's systems. The materials included signing keys, source code, and private communications. The company decided against paying the group's $4 million ransom, after which it appears to have followed through on its threat to publish the stolen information.
The attack on MSI is just another in a string of recent cybercrimes. Western Digital vaguely confirmed that hackers leaked some customers' data. A February ransomware attack left the US Marshal's computer systems offline for 10 weeks. Another incident forced Dallas to shut down its IT services, affecting the 911 dispatch system, the county police website, and jury trials.