Money Message gang leaked private code signing keys from MSI data breach

The ransomware gang behind the attack on Taiwanese PC maker MSI leaked the company’s private code signing keys on their darkweb leak site.

In early April, the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Micro-Star International AKA MSI designs, manufactures, and sells motherboards and graphics cards for customers in the United States, Canada, and internationally. MSI is headquartered in Taipei, Taiwan.

The ransomware group added the company to the list of victims on its Tor leak site, it claimed to have stolen the source code from the company, including a framework to develop bios, and private keys.

MSI confirmed the security breach, it revealed that threat actors had access to some of its information service systems.

The Money Message group initially threatened to publish the stolen files by April 12, 2023, if the company will not pay the ransom.

Now the ransomware gang has leaked the company’s private code signing keys on their darkweb leaksite.

The authenticity of the leaked private key was confirmed by Alex Matrosov, founder of firmware security firm Binarly. The expert warns of the potential impact of such a leak and recommends conducting a careful analysis to determine the scope of the leak.

The popular cryptographer and security technologist Matthew Green expressed his disappointment at the leak of such sensitive information and criticized the measures taken by the company to protect them.

The data leak includes code signing keys associated with tens of PCs and private signing keys for Intel Boot Guard which is used on more than one hundred MSI products.

According to Binarly, the exposed devices include multiple MSI laptop model series, including Stealth, Creator, Crosshair, Katana, Modern, Prestige, Pulse, Raider, Sword, Summit, Vector.

The experts warn of a potential supply chain attack because the Boot Guard keys from MSI are used by many other vendors, including Intel and Lenovo.

The availability of code signing keys can allow threat actors to sign malicious code that can be executed on targeted systems bypassing security measures in place.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)