Intel is looking into claims that private OEM BootGuard keys are out there after MSI reported a ransomware assault last month. Micro-Star International (MSI), a Taiwanese computer hardware manufacturer, said the previous month in a filing with the Taiwan Stock Exchange that it had been the victim of a cyberattack.
Although MSI did not disclose the nature of the breach it suffered, the announcement came shortly after the “Money Message” ransomware group threatened to release MSI’s source code and private keys on its data leak site unless the company paid a ransom.
On Friday, Alex Matrosov, founder and CEO of security provider Binarly, tweeted that the leak of an OEM private key for Intel’s security feature Boot Guard had “an impact on the entire ecosystem.” The leak allegedly occurred last week.
Intel’s BootGuard is a built-in security feature that blocks potentially harmful firmware from loading in the UEFI. “The policies of Intel BootGuard are rooted in Field Programmable Fuses, making them unalterable for the lifetime of a platform,” reads a white paper published by Intel. Once Intel Boot Guard is deployed, it cannot be turned off, and spoofing of provisioned policies is impossible.
Based on a statement released by the company, Intel is “aware of these reports and actively investigating.” The company did not explicitly indicate that private keys are out there, but they did say that “Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”
According to an email from Matrosov, the MSI breach’s exposed keys affect a wide variety of hardware, including the HP t430 and t638 Thin Client, the Lenovo Ideacentre AIO 330-20IGM, 310s-08igm, and a340-24igm, the Lenovo v330 and v130 laptops, the CompuLab fitlet2 IoT Gateway, and the Star Labs StarLite Ultrabooks MkIII and MkIV.
“The MSI keys that were compromised compromised hardware-based security features like Intel Boot Guard,” he explained. To paraphrase the author, “this renders the security measures useless and allows attackers to cause supply chain attacks on the devices.”
Matrosov also made a similar allusion to a leak of Lenovo source code from late last year, which also exposed Intel BootGuard keys. According to him, Binarly will release further details about the MSI leak next week.
Eclypsium’s senior vice president of strategy, John Loucaides, confirmed to TechTarget Editorial that the business had confirmed the authenticity of the private BootGuard keys in the compromised MSI files.
While the full list of affected goods and services is still being confirmed, he said, “BootGuard keys have leaked.” We wanted to confirm that they are the same keys used in production firmware images, although it makes it likely that these would be included alongside other important IPs. Up to this point, everything seemed to make sense.
With the level of access BootGuard has, he said, it’s a “big deal” if BootGuard keys, even OEM keys, were leaked. Malicious firmware that fools several computers into thinking it’s legitimate is the root of the problem. To support his beliefs, he cited a recent blog article on firmware attacks by Eclypsiu. “This is a real threat, and it has happened many times before,” he added.
Most cyber security systems won’t be able to see attacks happening below the operating system, which is a major problem. Eclypsium and Binarly are both conducting in-depth analyses to understand these threats better and help businesses react to them faster. Malicious firmware images associated with this breach have not yet been observed in the wild.
Conclusion
The private code signing keys of Taiwanese PC manufacturer MSI have been released on the dark web by the threat actors responsible for last month’s ransomware attack. Over the weekend, Alex Matrosov, founder and CEO of firmware security firm Binarly, tweeted, “Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem.” Intel Boot Guard may not work properly on some 11th-generation Tiger Lake, 12th-generation Adler Lake, and 13th-generation Raptor Lake-based devices. The stolen information includes private signing keys for Intel Boot Guard used on 116 MSI devices and firmware image signing keys connected with 57 PCs.
Several companies, including Intel, Lenovo, and Supermicro, may be affected by the MSI Boot Guard keys. Protecting computers from running malicious UEFI firmware is the goal of Intel Boot Guard, a hardware-based security mechanism. One month after MSI was hit by a double extortion ransomware attack, a new ransomware gang called Money Message emerged. MSI stated at the time in a regulatory filing that “the affected systems have gradually resumed normal operations, with no significant impact on financial business.” However, is strongly recommended that customers always download firmware/BIOS upgrades from its official website.
