The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company’s private code signing keys on its dark website.
“Confirmed, Intel OEM private key was leaked, causing an impact to the entire ecosystem,” Alex Matrosov, founder and CEO of firmware security company Binarly, said in a tweet over the weekend.
“It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake.”
Included in the leaked data are firmware image signing keys associated with 57 computers and private signing keys for Intel Boot Guard used on 116 MSI products. MSI’s Boot Guard keys are believed to affect several device vendors, including Intel, Lenovo, and Supermicro.
Intel Boot Guard is a hardware-based security technology designed to protect computers against running tampered UEFI firmware.
The development comes a month after MSI fell victim to a double-extortion ransomware attack perpetrated by a new ransomware gang known as Money Message.
MSI, in a regulatory filing at the time, said “the affected systems have gradually resumed normal operation, with no significant impact on the financial business.” However, it urged users to get firmware/BIOS updates only from its official website and refrain from downloading files from other sources.
Leaking the keys carries significant risks, as threat actors could use them to sign malicious updates and other payloads and deploy them to specific systems without raising any alarm signals.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
It also follows another MSI advisory advising users to be on the lookout for fraudulent emails targeting the online gaming community claiming to be from the company under the guise of a possible collaboration.
This is not the first time that UEFI firmware code has entered the public domain. In October 2022, Intel acknowledged a third-party leak of the Alder Lake BIOS source code, which also included the private signing key used by Boot Guard.
Recently, an alarming security breach has been reported – private code signing keys belonging to the full-stack tech company, Ikaroa, have been leaked onto the Dark Web. This unknown security incident has left customers, businesses, and individuals alike questioning the safety of their data.
Code signing keys are typically used to authenticate and sign applications and software, and as such, their security is paramount. By having access to private code signing keys, unauthorized persons could easily modify and sign malicious applications and software with the keys, passing them off as legitimate to unsuspecting victims.
With the widespread use of mobile applications, desktop applications, and software, the size and scope of this security breach cannot be understated. Consumers using applications with signed code requiring authentication could have their identity stolen, their data stolen, or their accounts taken over by malicious actors.
Ikaroa is aware of the situation and has taken steps to limit the damage. The organization is issuing a thorough audit, including examining data and user information, as well as a review of their security systems, to identify any potential weaknesses. Additionally, Ikaroa will be working closely with its partners to ensure that their systems and data are completely secured.
As an extra layer of protection, Ikaroa is also recommending its customers and users to periodically monitor their accounts and make sure that their data is safe. Furthermore, they are offering detailed advice on how to take measures to protect data by implementing two-factor authentication and secure passwords.
Given the severity of the security breach, the incident has prompted a key warning to all businesses, developers, and consumers. It is essential to be constantly aware of any developments regarding the security of applications, software, and data. Additionally, it is important to take the necessary steps to protect your data from unauthorized access.