Cybercriminals could have an easier time attacking MSI laptops after a ransomware gang leaked private code signing keys for the company’s products.
The leak sources back to a group known as Money Message, which announced last month that it had infiltrated MSI and stolen sensitive company files, including alleged source code. Money Message claims MSI refused to pay up to keep the information secret, so on Thursday, it posted the stolen data on its website on the dark web.
The ransomware group's site hosting the leaked files.
Cybersecurity firm Binarly analyzed(Opens in a new window) the leaked files, and confirmed they contain private code signing keys for MSI’s firmware across 57 products. (Binary’s GitHub page(Opens in a new window) mentions the names of all the affected models.)
These keys are important because MSI uses them to certify a firmware update comes from the company. Otherwise, a computer can flag the software as untrusted and potentially malicious.
Now these leaked keys could end up in the wrong hands, and be abused to sign malware disguised as MSI-related software. “The signing keys for fw [firmware] image allow an attacker to craft malicious firmware updates and it can be delivered through normal BIOS update processes with MSI update tools,” Binarly CEO Alex Matrosov tells PCMag.
It's possible a malicious firmware update could be delivered through fake websites or email messages disguised as MSI. But Matrosov says the major attack vector involves the private keys being used “as a second stage payload” after the initial compromise occurs through a browser or a document-based phishing attack. Most antivirus systems would remain silent because the malware would have been digitally signed as belonging to MSI and recognized as a legitimate firmware update.
The other problem is the leak also contains the private signing keys for Intel Boot Guard(Opens in a new window), which can verify the correct computer code is running when a PC first boots up. Binarly found private keys for Intel Boot Guard across 116 MSI products. But the company also noted Intel Boot Guard is used across the tech industry.
Recommended by Our Editors
“The Intel BootGuard keys leak [is] impacting the whole ecosystem (not only MSI) and make this security feature useless,” Matrosov added.
MSI and Intel didn’t immediately respond to a request for comment, making it unclear if they can revoke the private signing keys in some fashion. For now, MSI has merely warned(Opens in a new window) that customers should only install firmware and BIOS updates from the company’s official websites —not from third-party sources.
Still, Matrosov is concerned that MSI has limited options to fix the problem. “I think for MSI it will be a complicated situation since to deliver new signing keys they still need to use leaked ones,” he said. “I don’t believe they do have any revocation mechanisms.”
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba