About a month ago, cybercriminals broke into the systems of MSI, a computer hardware company. Upon investigation, researchers from IT security company Binarly found tens of private keys for signing MSI firmware and four Intel Bootguard keys in the wild. This compromised hundreds of MSI products, as attackers could manipulate the firmware for affected systems. Binarly CEO Alex Matrosov confirmed the findings on Twitter.
Matrosov wrote, “Confirmed, Intel OEM private keys have been leaked, affecting the entire ecosystem. It appears that Intel Bootguard is ineffective on certain devices updated to 11. [Generation] Tiger Lake, 12. [Generation] Alder Lake and 13. [Generation] Raptor Lake based”. The investigation is ongoing. Binarly suggests that other device manufacturers, such as Intel, Lenovo, Supermicro, and others, might also be affected.
The leaked private keys enable cybercriminals to create their firmware with malicious additions and sign it to pass it off as genuine MSI firmware. Intel Bootguard keys are designed to make sure only verified code loads when a system boots, which ensures hardware-based integrity as part of UEFI Secure Boot.
Binarly has opened a Github project and is collecting the keys found and affected systems there. The IT security researchers found 27 private firmware signing keys affecting 57 MSI products and four private Intel Bootguard keys affecting 116 MSI products. Since leaked keys can make malware appear trustworthy, MSI warned users to download firmware and BIOS updates from the official website only.
In early April, after the cyber intrusion, MSI warned that burglars who stole sensitive data such as BIOS files, ERP databases, private keys, and source code threatened to publish the information if the company did not pay a ransom. Sadly, it seems the burglars carried out their threat.
