Leak of MSI UEFI signing keys sparks considerations of potential provide chain assault

Aurich Lawson

A researcher has raised considerations over the potential of a devastating provide chain assault because of a ransomware intrusion on {hardware} producer Micro-Star Worldwide, also called MSI. Such an assault might contain the injection of malicious updates which have been signed with firm signing keys which can be trusted by an infinite base of consumer gadgets. “It’s form of like a doomsday state of affairs the place it’s very arduous to replace the gadgets concurrently, and so they keep for some time not updated and can use the previous key for authentication,” mentioned Alex Matrosov, CEO, head of analysis, and founding father of safety agency Binarly.

Leaked key + no revocation = recipe for catastrophe

Matrosov analysed information that had been launched on the darkish internet by the extortion portal of the Cash Message ransomware group following a ransomware assault on MSI. The info included two non-public encryption keys, one in all which is the signing key that MSI makes use of to digitally signal firmware updates and show that they’re legit. If this leaked key have been for use to signal updates, it might infect a pc’s system with out triggering warnings. Moreover, MSI doesn’t presently have an automatic patching course of and due to this fact has no key revocation capabilities out there.

If an attacker have been to achieve management of MSI’s non-public key, which is used to certify legit updates, they may ship malicious payloads to customers’ programs, very like the Kremlin-backed hacking unit APT29 and Cozy Bear did in the course of the 2019 SolarWinds assault, which compromised SolarWinds’ software program construct and distribution system. The attackers used this entry to contaminate greater than 18,000 prospects with malware and delivered backdoors to be used in espionage to 10 federal businesses and round 100 non-public corporations.

Though MSI has not but commented on the matter, the Nationwide Cybersecurity Heart has written an advisory. “As a result of profitable abuse is technically advanced and in precept requires native entry to a weak system, the NCSC considers the chance of abuse to be small,” NCSC officers wrote. “ Nonetheless, it’s not inconceivable that the leaked keys can be misused in focused assaults. The NCSC isn’t but conscious of any indications of misuse of the leaked key materials.”

Additional precautions ought to be taken by anybody utilizing affected {hardware}, which seems to be restricted to MSI prospects and third events that resell MSI {hardware}. It is suggested that customers are cautious of any firmware updates, even when they’re validly signed.