Tuesday, 09 May 2023 12:39

Intel Investigating MSI Data Breach and Private Code Signing Key Theft

Written by

Reading time is around minutes.

Yesterday we reported on a ransomware attack that impacted PC and component manufacturer MSI. When they, MSI, disclosed the attack they claimed there was no significant impact, but failed to consider that most, if not all, modern ransomware attacks also incorporate exfiltration techniques to ensure a ransom is paid. This this case, the group Money Message had exfiltrated data a claimed 1.5TB of data that included firmware, source code, and databases. This sounds a bit significant at this point.

Things got even worse when Money Message leaked information that they claimed was source code for MSI firmware including the private code signing keys used by MSI to sign UEFI images and Intel BootGuard private keys. The Private BootGuard keys would have been generated by MSI and not Intel according to a response from Intel that was sent to us yesterday. However, there is still a problem. According to Binarly, a firmware supply chain security platform, these same signing keys can potentially be used to deploy malicious UEFI images to any device.

Intel BootGuard uses an embedded public key to confirm the private key presented to it when the new image is loaded/installed. If the attacker uses them to sign the image and the MSI firmware installer it should slip by the BootGuard process on any product, in theory. Now this level of attack is not something that your average threat group is going to be able to leverage, at least for now. The problem is that as with all new attacks they often start with more sophisticated groups and end up trickling down to others.

The hard part currently is getting around things like BootGuard, Firmware Protections (from MS) etc. Now that there is an option to sign malicious firmware readily available it is possible that this attack vector might have just opened to people outside of the nation-state level. It is very concerning to consider that this might now be a common attack vector considering a compromise of the UEFI firmware bypasses all operating system protections that are currently out. Now, this is worst-case scenario at this stage, Intel has yet to reveal the results of their investigation, so the keys released might not have a significant impact outside of MSI, or there maybe a way to update the embedded public key used by BootGuard to prevent loading of an UEFI signed with the compromised keys.

Right now things look scary, but they might end up not being as bad as they look right now. Updating certain parts of microcode in Intel processors is something that has happened in the past, it is potentially possible that this might be the way forward to protect against this threat vector. Until we know for certain, the best path forward is continued vigilance. Only download firmware from known good sources, be on the lookout for malicious attachments and links etc. You know the drill.

Read 1532 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.