In March, the Money Message extortion gang targeted MSI, claiming to have stolen 1.5TB of data during the attack. This data included firmware, source code, and databases. The ransomware group demanded a ransom of $4 million, and when they didn't receive the payment, they started leaking the stolen data on their data leak site.
Leaked Data: Impact on Intel Boot Guard and MSI Devices
The leaked data from MSI contained the source code for firmware used in the company's motherboards. According to Alex Matrosov, CEO of firmware supply chain security platform Binary, the leaked source code included image signing private keys for 57 MSI products and Intel Boot Guard private keys for 116 MSI products.
BleepingComputer reported that Intel had confirmed they are aware of the reports and are currently investigating the matter. It is important to note that the leaked Intel Boot Guard OEM keys are generated by the system manufacturer and are not Intel signing keys.
Matrosov stated that the leak has potentially rendered Intel Boot Guard ineffective on MSI devices using 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake CPUs. The leaked signing keys could allow attackers to craft malicious firmware updates, which can be delivered through standard BIOS update processes using MSI update tools.
Intel Boot Guard: A Crucial Security Feature
Intel Boot Guard is an essential security feature in modern Intel hardware, designed to prevent the loading of malicious firmware, known as UEFI rootkits. It is a critical component for meeting Windows UEFI Secure Boot requirements. Malicious firmware can hide its activities from the kernel and security software, persist even after an operating system is reinstalled, and assist in installing malware on compromised devices.
Intel Boot Guard verifies the legitimacy of a firmware image by checking if it's signed using a valid private signing key with an embedded public key in the Intel hardware. If the firmware is verified, it is allowed to load on the device. If not, the firmware is blocked.
The Risks of Leaked Intel Boot Guard Keys
Leaked Intel BootGuard keys from MSI |
Binary has shared an advisory on Twitter, warning about the potential impact of the leaked keys on Intel Boot Guard technology. The advisory states that the leaked private keys can enable an attacker to sign modified firmware for the affected devices, bypassing Intel Boot Guard's verification and rendering the technology ineffective.
While the leaked keys might not be useful for most threat actors, skilled attackers, such as those behind CosmicStrand and BlackLotus UEFI malware, have used malicious firmware in previous attacks.
Binary has released a list of the 116 MSI devices reportedly affected by the leaked Intel Boot Guard keys. The leak highlights the urgent need for both Intel and MSI to address the potential vulnerability in Intel Boot Guard security, as attackers may now be able to craft malicious firmware updates on affected devices without fear of being detected by the security feature.