Private Code Signing Keys Leaked on the Dark Web
The threat actor behind the ransomware attack on Taiwanese PC maker MSI last month had leaked the company’s private code signing key on their dark web.
“Confirmed, Intel’s OEM private key was leaked, causing an impact on the entire ecosystem,” Alex Matrosov, founder and CEO of firmware security firm Binarly, said in a tweet over the weekend.
“It appears that Intel Boot Guard may be ineffective on certain devices based on 11th Tiger Lake, 12th Lake Adler, and 13th Raptor Lake.”
Present in the leaked data are firmware image signing keys associated with 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. MSI’s Boot Guard key is believed to affect multiple device vendors, including Intel, Lenovo, and Supermicro.
Intel Boot Guard is hardware based security technology designed to protect computers from running tampered UEFI firmware.
The development comes a month after MSI fell victim to a double-squeeze ransomware attack carried out by a new ransomware gang known as Money Message.
MSI, in a regulatory filing at the time, said “the affected systems are gradually returning to normal operations, with no significant impact on the financial business.” However, it urges users to get firmware/BIOS updates only from its official website and refrain from downloading files from other sources.
Key leaks pose a significant risk because threat actors can use them to sign malicious updates and other payloads and deploy them on targeted systems without raising any red flags.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
It also follows another advisor from MSI recommend users to search for fraudulent emails targeting online gaming communities claiming to be from the company under the pretext of possible collaboration.
This is not the first time that UEFI firmware code has entered the public domain. In October 2022, Intel acknowledged leak of Alder Lake BIOS source code by a third party, which also includes the private signing key used for Boot Guard.
