A ransomware intrusion on hardware manufacturer Micro-Star International, better known as MSI, is stoking concerns of devastating supply chain attacks that could inject malicious updates that have been signed with company signing keys that are trusted by a huge base of end-user devices, a researcher said.
“It’s kind of like a doomsday scenario where it’s very hard to update the devices simultaneously, and they stay for a while not up to date and will use the old key for authentication,” Alex Matrosov, CEO, head of research and founder of security firm Binarly, said in an interview. “It’s very hard to solve, and I don’t think MSI has any backup solution to actually block the leaked keys.”
Leaked key + no revocation = recipe for disaster
Included in the trove of released data were two private encryption keys. The first is the signing key that digitally signs MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor.
This raises the possibility that the leaked key could allow attackers to push out updates that would infect a computer’s most nether regions without triggering a warning. To make matters worse, Matrosov said, MSI doesn’t have an automated patching process the way Dell, HP, and many larger hardware makers do. Consequently, MSI doesn’t provide the same kind of key revocation capabilities.
“It’s very bad, it doesn't frequently happen,” he said. “They need to pay a lot of attention to this incident because there are very serious security implications here.”
Adding to the concern, MSI to date has maintained radio silence on the matter. Company representatives didn't respond to emails seeking comment and asking if the company planned to issue guidance to its customers.
There are no reports of any supply chain attacks targeting MSI customers. Gaining the kind of control required to compromise a software build system is generally a non-trivial event that requires a great deal of skill and possibly some luck. Because MSI doesn’t have an automated update mechanism or a revocation process, the bar would probably be lower, though.
Whatever the difficulty, possession of the signing key MSI uses to cryptographically verify the authenticity of its installer files significantly lowers the effort and resources required to pull off an effective supply chain attack.
“The worst scenario is if the attackers gain not only access to the keys but also can distribute this malicious update [using those keys]," Matrosov said.
Advertisement
In an advisory, the Netherlands-based National Cybersecurity Center didn’t rule out the possibility.
“Because successful abuse is technically complex and in principle requires local access to a vulnerable system, the NCSC considers the risk of abuse to be small,” NCSC officials wrote. “However, it is not inconceivable that the leaked keys will be misused in targeted attacks. The NCSC is not yet aware of any indications of misuse of the leaked key material.”
@dangoodin IMHO, this really shouldn't change the analysis at all.
Did anyone think that the PC supply chain was secure? Mainboard makers like MSI have never really had an incentive to prioritize deep security. I doubt most - if any - of them do things like keeping the machines they do firmware signing on air-gapped or anything like that.
I would be shocked if any of the big mainboard companies' keys weren't already in the posession of at least one nation-state adversary.
Most #healthcare workers don't check #security protocols before trying out new generative AI tools such as #ChatGPT, putting patient and other sensitive data at risk, said Sean Kennedy of software vendor Salesforce, which recently conducted research on potential security gaps in healthcare settings.
A new pattern of sophisticated email spamming is on the rise. Spammers use stolen email accounts of legit organizations, often universities. Thus, spam will not be caught by spam filters. Next, spammers use #ChatGPT to make the scam sound authentic.
Here's an example. This email was sent from an account seemingly belonging to a university student in Hungary. The headers of the email clearly show that it was sent from the university mail server. (This explains why it escaped iCloud's spam filter)
The email is in German. It's grammatically correct, but sounds weird in a few occasions. The spammers use a different name in the letter than the name of the account owner (shown redacted). Also, the spammers set a different email in the "Reply-To" field. They want victims to reply to their email address, probably in case they lose access to the stolen account.
Stolen accounts often belong to universities. Perhaps because they don't enforce SSL.
Help! My Achilles heel at work has always been issues related to broadly understood data encryption and decryption. For some reason my brain can't sort it all out - private keys, public keys, signing keys, AES, SHA, RSA, GPG, SSO, OAuth, etc..
Every time this topic comes up at work, I know that I will be scratching my head for days.
So my question to you guys is, can you recommend a good book to help me understand these things once and for all? Thank you in advance.
"The Mandiant team was facing a textbook example of a software-supply-chain attack—the nefarious alteration of trusted software at its source. In a single stroke, attackers can infect thousands, potentially millions, of machines." —@kimzetter for @WIRED
I should have seen it coming. I (hesitantly) signed up to #LinkedIn for professional reasons. All goes well for two days.
Now my account is restricted until I verify my #IDby uploading a photo of my ID card (which doesn't even work).
The restriction is presumably because of either connecting over a #VPN or not having a profile photo, which are measures I take to protect my #privacy and #security.
I'm of a mind to just send a data erasure request and avoid wasting any more time.
Insanity, but what else is new at the bird site. FYI, where I work inactive accounts are only locked after 30 days, not deleted! After 90 days it is flagged for deletion, but it isn't automatic. We review the list as some are on extended leave and policy is to leave them there until after 365 days of inactivity. We do the housekeeping manually as we have less than 10k accounts. I hope they publish the stats on how many gets deleted.