Hackers Leak Private Keys for MSI Products, Making It Easier to Attack Them

pcmag.com:

Cybercriminals could have an easier time attacking MSI laptops after a ransomware gang leaked private code signing keys for the company’s products. 

The leak sources back to a group known as Money Message, which announced last month that it had infiltrated MSI and stolen sensitive company files, including alleged source code. Money Message claims MSI refused to pay up to keep the information secret, so on Thursday, it posted the stolen data on its website on the dark web.

Cybersecurity firm Binarly analyzed(Opens in a new window) the leaked files, and confirmed they contain private code signing keys for MSI’s firmware across 57 products. (Binary’s GitHub page(Opens in a new window) mentions the names of all the affected models.) 

These keys are important because MSI uses them to certify a firmware update comes from the company. Otherwise, a computer can flag the software as untrusted and potentially malicious. 

Now these leaked keys could end up in the wrong hands, and be abused to sign malware disguised as MSI-related software. “The signing keys for fw [firmware] image allow an attacker to craft malicious firmware updates and it can be delivered through normal BIOS update processes with MSI update tools,” Binarly CEO Alex Matrosov tells PCMag.

It's possible a malicious firmware update could be delivered through fake websites or email messages disguised as MSI. But Matrosov says the major attack vector involves the private keys being used “as a second stage payload” after the initial compromise occurs through a browser or a document-based phishing attack. Most antivirus systems would remain silent because the malware would have been digitally signed as belonging to MSI and recognized as a legitimate firmware update. 

The