The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company’s private code signing keys on their dark website.
“Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem,” Alex Matrosov, founder and CEO of firmware security firm Binarly, said in a tweet over the weekend.
“It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake.”
Present in the leaked data are firmware image signing keys associated with 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. The Boot Guard keys from MSI are believed to impact several device vendors, including Intel, Lenovo and Supermicro.
Intel Boot Guard is a hardware-based security technology that’s designed to protect computers against executing tampered UEFI firmware.
The development comes a month after MSI fell victim to a double extortion ransomware attack perpetrated by a new ransomware gang known as Money Message.
MSI, in a regulatory filing at the time, said, “the affected systems have gradually resumed normal operations, with no significant impact on financial business.” It, however, urged users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from other sources.
The leak of the Intel Boot Guard keys poses significant risks as it undermines a vital firmware integrity check and could allow threat actors to sign malicious updates and other payloads and deploy them on targeted systems without raising any red flags.
It also follows another advisory from MSI recommending users to be on the lookout for fraudulent emails targeting the online gaming community that claim to be from the company under the pretext of a potential collaboration.
This is not the first time UEFI firmware code has entered the public domain. In October 2022, Intel acknowledged the leak of Alder Lake BIOS source code by a third party, which also included the private signing key used for Boot Guard.
Supermicro Products Not Impacted#
Following the publication of the story, Supermicro told The Hacker News that it investigated the risks stemming the leak of Intel Boot Guard keys and that its products are not affected.
“Based on our current review and investigation, Supermicro products are not affected,” a spokesperson for the San Jose-based company said.
“Intel is aware of these reports and actively investigating,” the chipmaker told The Hacker News in a statement.
“There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel Boot Guard. It should be noted that Intel Boot Guard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”