Monday, 08 May 2023 14:34

PC Component Maker MSI has Private Code Signing Keys Leaked **Updated**

Written by

Reading time is around minutes.

Updated May-08-2023 with statement from Intel
Back in early April MSI, a popular PC and PC component maker, disclosed that it had a security incident. They stated that they quickly rolled out their Incident Response Team and enacted their recovery procedures (IR and BC/DR plans). Not much was known about the attack at the time, including when the incident happened, just that the disclosure was made to the relevant authorities.

Then the group claiming to be behind the attack, the Money Message group, made a claim that they were the ones that broke into MSI and infected them with ransomware and had exfiltrated data (as they do). They wanted $4 million dollars, or they would start leaking files on the internet. MSI did not disclose any information about who was behind the attack at the time and details on the event are still very limited.
Now it seems that the attackers are starting to make good on their threats as the Money Message gang has leaked MSI’s private code singing keys on their site on the dark web. The leak has been confirmed by Binarly saying that it was indeed the Intel OEM private key for MSI. They also cautioned that the current boot guard might not help protect users if they are running 11th, 12th and 13th generation Intel CPUs. Since the leak contained the boot guard signing keys for 116 MIS products along with firmware image singing keys for 57 PCs. These keys may also impact other vendors including Supermicro, Intel and Lenovo.

At the time of the original event MSI stated that there was “no significant impact” on financial business. They urged users to only download UEFI/BIOS updates from the official MAI site and not to use any third-party sites. This is always a good suggestion even if your code signing keys have not been stollen. The impact of these leaked keys is significant and something that will certainly have an impact on MSI sales due to reputational impact.

Meanwhile owners of MSI products and products with MSI produced hardware should be especially cautious and suspicious of any emails claiming to be MSI, social media posts containing links to fixes etc. MSI themselves have warned the gaming community to be on guard for emails that claim to be from them asking about potential collaboration. Be safe out there.

Intel is aware of the event and has released a statement:

“Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”

The clarificiation is that while these signing keys may indeed get around Bootguard, they did not come from Intel, they would have been genberated by MSI.
Read 866 times Last modified on Monday, 08 May 2023 18:29

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.