The MSI security breach: a tale of leaked keys and a reminder to keep our secrets safe

Another day, another breach. Micro-Star International (MSI), a renowned Taiwanese manufacturer of laptops, video adapters, and motherboards, recently fell victim to a ransomware attack. The orchestrators? A group known as Money Message. The fallout? A private code signing key leak that could impact hundreds of MSI products and beyond. Well, read on to find out.

The stolen keys, my friends, are not your ordinary garage lock keys. They’re the digital equivalent of a master key that can open every door in a skyscraper, and MSI uses them to certify that a firmware update is genuine. With these keys out in the wild, cybercriminals could potentially sign malware as MSI-related software, turning the keys into a weapon against unsuspecting victims.

The MSI breach: the hard facts

The MSI breach wasn’t your run-of-the-mill security lapse. In a classic ransomware attack scenario, the Money Message group infiltrated MSI’s systems, stealing sensitive company files, which, allegedly, includes some of their proprietary source code. And when their ransom demands fell on deaf ears, they decided to leak the stolen data on the dark web.

The leaked data was not just any ordinary information; it contained private code signing keys for MSI’s firmware across 57 products and Intel Boot Guard keys for 116 MSI products —  the gatekeepers of the tech ecosystem, and their leak could have a domino effect on the entire industry. This is a serious issue since the leaked keys can potentially be used to sign malware disguised as MSI-related software and bypass security measures, including Intel Boot Guard. If these keys find their way to the wrong hands, and if those hands are crafty, they can roll out malicious firmware updates, which could be delivered through normal BIOS update processes with MSI update tools.

The aftermath

Let’s just say, now everyone knows MSI’s grandma’s secret apple pie recipe. Sure, not everyone can replicate it perfectly, but the fact that it’s out there is enough to cause a stir. As the dust settles on the MSI breach, the Money Message gang is celebrating their victory while the tech world scrambles to assess the damage and is left to grapple with its implications.

According to Binarly, the leaked keys can potentially cause widespread complications, affecting not just MSI but other vendors as well. This disrupts the secure-boot trust chain for all products relying on these keys, leaving individual device owners with no other option but to ramp up third-party protective measures and keep using them until the products themselves are not used.

This situation is further complicated by the fact that these keys cannot be revoked, making the issue a persistent thorn in cybersecurity. The world isn’t fair.

Navigating the breach

This incident has highlighted the unacceptable practice of keeping secrets on computers either next to or inside the code that uses them. In the face of such a significant breach, we must adopt proactive measures to mitigate the potential risks.

Here are some tips for the various stakeholders who may be reading this:

For the developers

• Adopt a DevSecOps approach: Incorporate security practices into your DevOps approach. This means thinking about security from the start of the development cycle, rather than as an afterthought. This includes using automated scanners to check for hardcoded secrets in your codebase before committing changes. By integrating security into every step of the development process, you can ensure that your applications are as secure as possible from the ground up.

• Commit to using a vault: Keep confidential data such as app and driver signing keys in secure vault solutions. These vaults fulfill a much-needed requirement for centralized secret management and ensure that sensitive information is kept secure and access is tightly controlled. This approach is far safer than storing keys on local machines or in code repositories, and it allows for better auditing and rotation of secrets. Of course, it’s the IT Ops or R&D team that implements the vault, but developers need to be committed to using the vault.

For the IT admins

• Enforce the principle of least privilege: Ensure administrative access to computers is limited and controlled. This can help prevent unauthorized firmware updates.

• Suppress suspicious apps: Consider suppressing suspicious apps at the group policy level. This can help reduce the risk of malicious firmware updates.

• Implement integrated network and endpoint protection: Proper general practices, such as integrated network and endpoint protection, timely updating of business apps, and a system policy for patch management, can help ease the problem.

• Use a centralized secrets security solution: There are dedicated solutions for centralized secret management, like secret vaults which can help protect sensitive information. But let’s take a step or two beyond vaults. Entro is the most obvious choice here, given that it is the only secrets security platform that does it all — discovering, safeguarding, enriching, and detecting the ones that leaked. You bring your own vault, be it the Hashicorp Vault or the AWS Secrets Manager, Github Actions Secrets, Azure KV or any other vault   and plug it into Entro’s platform, and just sit back and relax. Entro will keep the secrets stored inside the vaults secure and ensure they remain compliant regardless of whether they get rotated.

The takeaway: Trust but verify

In the wake of the MSI breach, the importance of secrets management has been thrown into the spotlight. While the situation is indeed grave, there are lessons to take away from it. Companies, especially as big as MSI, need to ensure that their confidential data and secrets, in particular, are stored in secure vaults or at least within a special secure perimeter on computers completely isolated from the rest of the network. But sometimes, even that’s not enough.

This is where a secrets security solution like Entro comes in. It can discover all secrets, enrich them with metadata, continuously monitor them for any misuse, create alerts for any misconfigurations, and ensure the principle of least privilege is maintained. It’s like having a dedicated detective (a Sherlock Holmes, if you will) constantly looking for any secrets-related shenanigans. Let’s take a step towards a world where your digital secrets are safer than MSI’s were in this case and look at what Entro can do for you.