MSI confirms security breach, $4M ransom demand

[Spotty]

Summary

MSI has reported that it was the victim of a cyberattack. Ransomware group "Money Message" has claimed responsibility for the attack and has claimed they have stolen source code and BIOS firmware from MSI, demanding a $4M ransom.

MSI is warning users not to download BIOS updates from 3rd party sources.

 

Quotes

Quote

Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as "Money Message," which claims to have stolen source code from the company's network.

[...]
 

The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor's CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware.
 

Money Message now threatens to publish all these allegedly stolen documents in about five days unless MSI meets its ransom payment demands.

According to chats seen by BleepingComputer at the time, the threat actors claimed to have stolen 1.5TB of data from MSI's systems, including source code and databases, and demanded a ransom payment of $4,000,000.

Message from the hacking group:

Quote

"Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios," a Money Message operator said in a chat with an MSI agent.

 

Statement from MSI:

Quote

MSI recently suffered a cyberattack on part of its information systems. Upon detecting network anomalies, the information department promptly activated relevant defense mechanisms and carried out recovery measures, and reported the incident to government law enforcement agencies and cybersecurity units. Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business.

 

MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.

 

 

 

My thoughts

With the BIOS firmware and private keys for signing the BIOS stolen could this allow attackers to embed malware in to a BIOS update package? MSI is warning people not to download BIOS firmware from any 3rd party sources. I think many people will download their motherboard BIOS updates directly from the motherboard manufacturers website anyway and I think not downloading BIOS updates from third party sources is pretty good advice in general.

Since the attackers had access to MSI's system I would also be cautious of any BIOS updates or software downloads from the official MSI website as well for the time being. The attackers could have substituted files and signed them with the keys they stole so they would appear authentic. Maybe hold off on the BIOS updates from MSI for now.

Be vigilant of any websites impersonating MSI with malicious downloads, like has been seen with phishing websites impersonating MSI Afterburner to deliver malware.

 

The "Money Message" gang who claimed the hack have also been involved in a few other high profile hacks and ransomware attacks in recent weeks, also claiming they hacked an Asian airline last week. I doubt this will be the last we hear of them as these attacks usually come in large waves.

 

It seems there's been an increase in cyber attacks at major companies recently. Western Digital MyCloud is still offline after an attack over a week ago.

Are the companies becoming more lax with their security, the attackers getting better, or are the companies just disclosing the breaches now instead of covering it up?

 

Sources

https://www.msi.com/news/detail/MSI-Statement-141688

https://www.bleepingcomputer.com/news/security/money-message-ransomware-gang-claims-msi-breach-demands-4-million/

[Lorca]

Yup. China (Taiwan) Airlines got hacked. No doubt the government backed terrorists will make their way to USA or Canada soon. Because we have a pretty good idea which country is behind these attacks.

 

Companies aren't getting lax. They are in fact inconveniencing their customers like having unsolvable captchas, VPN access restrictions, no password managers, no copy and pasting passwords. I'm sure there are more. But worst part is corporations are paying money to these terrorists.

[Lightwreather]

9 minutes ago, Spotty said:

Money Message

I'm sorry, but that name

You can't get more on the nose than that.

[Spotty]

8 minutes ago, Lorca said:

But worst part is corporations are paying money to these terrorists.

Do you think MSI are going to pay the $4M ransom?

 

Money Message has a website up with a timer on it counting down how long MSI has left to pay. The breach was announced a few days ago but I think they still have time left of the 5 day deadline they were given to pay before the attackers release the data they stole. Could just watch and see if the clock runs out and if they release the data.

I haven't looked for the hackers website but here's a screenshot from one of the articles..

[TetraSky]

Worst part, is even if MSI did pay, it wouldn't matter because they already got the files. Nothing is stopping them from abusing the files in the event they do get paid, other than "honor". And we know there's no such thing for these type of people.

 

... Is there a way to simply lock your bios to prevent it from being modified until you unlock it? If not, board manufacturers really need to start putting that feature in.

[soldier_ph]

1 hour ago, Lightwreather JfromN said:

I'm sorry, but that name

You can't get more on the nose than that.

I'm sure their name sounds real badass in whatever language that they're using but the translation to English is just weird.

 

 

Even though I don't own and use any MSI Products I'm very concerned about this. You'd think Companies in the Tech Space would have the best Cybersecurity practices and systems in place and that such attacks shouldn't be a thing.

[MageTank]

1 hour ago, Spotty said:

With the BIOS firmware and private keys for signing the BIOS stolen could this allow attackers to embed malware in to a BIOS update package?

Technically yes, but it's no more of a threat than when everyone got their hands on the leaked AMI tools years ago. Having the source code to MSI's BIOS is pointless. MSI doesn't make their own BIOS, very few actually do. Most of them use the aforementioned AMI tools to tweak an existing BIOS and skin it per their preferred branding.

 

The leaked private keys are problematic, especially if they are referring to digicert keys as it means MSI will need to invalidate all original certs and recertify all drivers and BIOS published by them using a new digicert key. This would be more annoying for their OEM sector, most end users won't even notice the issue. If you are a downstream partner and get signed drivers from MSI for CHID targeting on Windows Update, you'll need new drivers to remain compliant there as well.

 

Overall, I don't see MSI paying the ransom because even if they called this bluff, the consequences are nearly nonexistent. There is no threat to BIOS security beyond the currently existing threat of the AMI tools leak from years ago (you can already make custom BIOSes for MSI boards with unlocked XOC menus) and the pkey issue can be resolved with new keys.

 

Leaking CTMS/ERP would be annoying, but competitors wouldn't be able to use the leaked data legally, so I doubt anyone would be stupid enough to try.

[Arika]

58 minutes ago, TetraSky said:

Worst part, is even if MSI did pay, it wouldn't matter because they already got the files. Nothing is stopping them from abusing the files in the event they do get paid, other than "honor". And we know there's no such thing for these type of people.

what is sometimes more common is that the ransom will be a ""low"" amount, and then if they get paid they have the hook. "well they paid us, so they clearly care about this...so let's charge them more!"

[Brooksie359]

2 hours ago, MageTank said:

Technically yes, but it's no more of a threat than when everyone got their hands on the leaked AMI tools years ago. Having the source code to MSI's BIOS is pointless. MSI doesn't make their own BIOS, very few actually do. Most of them use the aforementioned AMI tools to tweak an existing BIOS and skin it per their preferred branding.

 

The leaked private keys are problematic, especially if they are referring to digicert keys as it means MSI will need to invalidate all original certs and recertify all drivers and BIOS published by them using a new digicert key. This would be more annoying for their OEM sector, most end users won't even notice the issue. If you are a downstream partner and get signed drivers from MSI for CHID targeting on Windows Update, you'll need new drivers to remain compliant there as well.

 

Overall, I don't see MSI paying the ransom because even if they called this bluff, the consequences are nearly nonexistent. There is no threat to BIOS security beyond the currently existing threat of the AMI tools leak from years ago (you can already make custom BIOSes for MSI boards with unlocked XOC menus) and the pkey issue can be resolved with new keys.

 

Leaking CTMS/ERP would be annoying, but competitors wouldn't be able to use the leaked data legally, so I doubt anyone would be stupid enough to try.

Yeah that is what I was thinking. This doesn't seem like very important data compared to some other data leaks. I wouldn't pay it if I was MSI as it would only incentivize this type of behavior and I would rather deal with the consequences of it being leaked because they are minimal. 

[Uttamattamakin]

4 hours ago, Spotty said:

MSI is warning users not to download BIOS updates from 3rd party sources.

...snip...

 

I think many people will download their motherboard BIOS updates directly from the motherboard manufacturers website anyway and I think not downloading BIOS updates from third party sources is pretty good advice in general.

....

Be vigilant of any websites impersonating MSI with malicious downloads, like has been seen with phishing websites impersonating MSI Afterburner to deliver malware.

 

Holy heaven are there people who would download their BIOS from a third party website?  Let me make it clear I 100% agree with you on this.  Especially for people who are DIY'ing their PC.  Like who is the third party that would have a BIOS other than the manufacturer in this scenario?  I just can't imagine why anyone would think that's a good idea. 

 

By the by I think they will pay the money.  To corporate types money is the cause of and solution to all of lifes problems.  To a 47.8 Billion dollar company like MSI 4 million dollars is like paying a toll to drive on the high way. 

 

10 minutes ago, Brooksie359 said:

Yeah that is what I was thinking. This doesn't seem like very important data compared to some other data leaks. I wouldn't pay it if I was MSI as it would only incentivize this type of behavior and I would rather deal with the consequences of it being leaked because they are minimal. 

Perhaps.  BUT could having the source code for this show hackers how to compromise systems that have MSI's BIOS?  You know exposing some low level backdoor that more mundane malware could use to attack a system.

[Brooksie359]

3 minutes ago, Uttamattamakin said:

Holy heaven are there people who would download their BIOS from a third party website?  Let me make it clear I 100% agree with you on this.  Especially for people who are DIY'ing their PC.  Like who is the third party that would have a BIOS other than the manufacturer in this scenario?  I just can't imagine why anyone would think that's a good idea. 

 

By the by I think they will pay the money.  To corporate types money is the cause of and solution to all of lifes problems.  To a 47.8 Billion dollar company like MSI 4 million dollars is like paying a toll to drive on the high way. 

 

Perhaps.  BUT could having the source code for this show hackers how to compromise systems that have MSI's BIOS?  You know exposing some low level backdoor that more mundane malware could use to attack a system.

My question to you is do you think they won't sell this data to other hackers? Sure they may not post the data publicly but I imagine that if they can make money off of it they will sell that data to other hackers even if MSI pays the 4 million. I'm sorry but paying them really doesn't seen like it would be all that helpful imo. 

[porina]

7 minutes ago, Uttamattamakin said:

Holy heaven are there people who would download their BIOS from a third party website?

Probably not a thing in recent years, but bios mods were around 5-10 years ago to get around limitations of official bios or add unsupported features. The only one I personally tried was for "non-K" overclocking on Skylake. Bios mods could also enable CPU support outside that of the intended chipset generation.

 

Similarly before VBIOS got locked down, it was another overclocking avenue. I didn't download in that case but edited my own.

[Uttamattamakin]

43 minutes ago, Brooksie359 said:

My question to you is do you think they won't sell this data to other hackers? Sure they may not post the data publicly but I imagine that if they can make money off of it they will sell that data to other hackers even if MSI pays the 4 million. I'm sorry but paying them really doesn't seen like it would be all that helpful imo. 

Future ability to exact ransoms depends on them holding up their end of the deal.  In a business transaction, especially a illegal one, reputation is everything.  If they were to do that then no corp would ever pay them ever again.  It would be pointless.  If they hold up their end of the deal they can do this again, and again, until each member of their hacker group is a millionaire. 

 

37 minutes ago, porina said:

Probably not a thing in recent years, but bios mods were around 5-10 years ago to get around limitations of official bios or add unsupported features. The only one I personally tried was for "non-K" overclocking on Skylake. Bios mods could also enable CPU support outside that of the intended chipset generation.

 

Similarly before VBIOS got locked down, it was another overclocking avenue. I didn't download in that case but edited my own.

Very informative. Perhaps this is more of a concern down the line when there may be reason to mod the bios of a current generation motherboard to support some chip or the other that will fit in a given socket but just not work but could work? 

[wanderingfool2]

5 hours ago, Spotty said:

With the BIOS firmware and private keys for signing the BIOS stolen could this allow attackers to embed malware in to a BIOS update package?

Man, getting access to the private keys, with the source code already completely opens to door to easy to execute backdoors.

 

From the consumer perspective, you can now only "trust" bio's downloaded from MSI's site itself (which will suck when they don't provide one or decide to pull it).  Then it's still a matter of if you trust MSI's source (at least for a while now)....but what's the bets they would even look to see if binaries were changed on their site.

 

The bit that I think makes this bad though, if lets say you have an MSI product in your PC and fall victim to an attack that lets say Linus fell victim to...you can no longer trust any MSI components in there.  At this stage it would be trivial to infect any MSI component at the firmware level, then the infected components could easily just ignore the other firmware updates/pretend to update the firmware...effectively killing any hope of actually updating it.

 

With that said, I hope that MSI generates new keys and provides a firmware update to all devices to invalidate the old public keys and install the new public keys

[Brooksie359]

29 minutes ago, Uttamattamakin said:

Future ability to exact ransoms depends on them holding up their end of the deal.  In a business transaction, especially a illegal one, reputation is everything.  If they were to do that then no corp would ever pay them ever again.  It would be pointless.  If they hold up their end of the deal they can do this again, and again, until each member of their hacker group is a millionaire. 

 

Very informative. Perhaps this is more of a concern down the line when there may be reason to mod the bios of a current generation motherboard to support some chip or the other that will fit in a given socket but just not work but could work? 

How would they even know? I mean if it's between two hackers I doubt they would leak about them getting the code from this hacker group. Also again they get money from MSI and money from other hackers so it's just more money. 

[Winterlight]

22 hours ago, Spotty said:

Do you think MSI are going to pay the $4M ransom?

I think they will not pay because there no guarantee that files not leak even after hackers get paid or they not ask for more in future.

Btw I think no one can save from be stupid people. Imagine downloading BIOS, Firmware, Driver and etc updates from some random website. That is only your fault that you stupid enough to download that from any random websites.

[Remixt]

Considering how bad MSI customer service is I wouldn't be surprised if the hackers were placed on a "brief" hold.