The Money Message hacker group has made it easier to hack MSI laptops by releasing confidential software certification keys for the manufacturer’s products, previously stolen from MSI’s own servers. Now attackers can infect laptops under the guise of the official BIOS and the system won’t notice the trick.
Last month, MSI’s servers were hacked. The attackers stole sensitive data and threatened to release it if MSI didn’t pay them a multimillion-dollar ransom. Apparently, the company didn’t make a deal with the hackers, so the hackers published various proprietary manufacturer data, including authentication keys for MSI laptop software, on their website on the dark web on Thursday.
Cybersecurity firm Binarly analyzed the data leaked by the hackers and confirmed that it contained BIOS keys for 57 of the company’s laptop models, among other things. Binary published on their page in the GitHub repository List of affected models laptops.
These keys are important because MSI uses them to certify updates to its software. Without them, the computer will perceive the software update as unreliable and potentially malicious. Now, these keys can fall into the wrong hands and be used to sign malicious code, but it is perceived by the system as official from the manufacturer.
“Software signing keys allow an attacker to create malicious firmware updates that can be delivered to a victim’s system via normal BIOS update processes using MSI update tools.”– Alex Matrosov, the head of Binarly, commented in a conversation with PCMag.
Using the keys, malware can enter the user’s computer via fake websites or emails pretending to be from MSI. However, according to Matrosov, the key attack vector in this case is performed “secondary download” – after the malware has entered the victim’s computer through a browser download or a phishing attack. In this case, most antivirus systems simply ignore the malware on the computer, assuming that it is signed by the manufacturer.
Another issue is key leaking for Intel Boot Guard, which provides hardware-based BIOS boot integrity protection, monitors unauthorized boot blocks and prevents them from executing. According to Binarly, the leaked MSI data contains Intel Boot Guard keys for 117 of the company’s products. It is noted that Intel Boot Guard technology is used in many segments.
“The leaked Intel BootGuard keys impact the entire ecosystem, not just MSI products, rendering this security feature useless.”says Matrosov. MSI and Intel did not respond to PCMag’s request.
So far, MSI has only advised its users not to download its software from unofficial sources. According to Matrosov, MSI has a very limited range of possible solutions to this problem. “In my opinion, MSI is in a very difficult situation because in order to update the keys to new secure keys, old stolen keys have to be used. I don’t think the company has a mechanism to easily revoke compromised keys.”added the expert.