MSI Confirms Cyberattack, Advises Caution With Firmware

News
By Andrew E. Freedman
published

Reports suggest ransomware may have been involved.

MSI Raider GE78 HX
(Image credit: Tom's Hardware)

Gaming hardware manufacturer MSI confirmed today that it was the victim of a cyberattack. In a brief statement on its website, the company said that the attack hit "part of its information systems," which have since returned to regular operations.

The company advises its customers only to get BIOS and firmware updates from the MSI website and no other sources. It's light on details, saying that after "detecting network anomalies," MSI implemented "defense mechanisms and carried out recovery measures," and then informed the the government and law enforcement.

"MSI is committed to protecting the data security and privacy of consumers, employees, and partners, and will continue to strengthen its cybersecurity architecture and management to maintain business continuity and network security in the future," the unsigned blog post reads.

The post doesn't mention if customer data was stolen or affected. Tom's Hardware reached out to MSI but did not hear back in time for publication. In addition, emails to official spokesperson addresses listed on the company's website bounced.

The first signs of the cyberattack surfaced yesterday in a report from BleepingComputer, which showed that a ransomware group called Money Message had claimed to have stolen source code, a "framework to develop bios [sic]" and private keys. In addition, the site saw chats that suggested the group claimed to have stolen 1.5TB of data and asked for a ransom payment of over four million dollars. It's unclear if these are related or if MSI paid a ransom.

This isn't the first hardware manufacturer to see this kind of attack in recent memory. Just last month, a hacker stole 160GB of data from Acer off of a document server meant for repair technicians. (Acer also had 60GB of data stolen in October 2021.)

In recent years, we've seen Quanta, Nvidia, and other major hardware manufacturers investigate potential cyberattacks. Clearly, the desire for bad actors to access data from major hardware vendors, which could then potentially spread into client computers, isn't going away anytime soon.

Andrew E. Freedman

Andrew E. Freedman is a senior editor at Tom's Hardware focusing on laptops, desktops and gaming. He also keeps up with the latest news. A lover of all things gaming and tech, his previous work has shown up in Tom's Guide, Laptop Mag, Kotaku, PCMag and Complex, among others. Follow him on Threads @FreedmanAE and Mastodon @FreedmanAE.mastodon.social.

6 Comments Comment from the forums
  • hotaru251
    tbh if you are using 3rd party sites for your stuff thats bad habit.
    Reply
  • domih
    The three stages of Ransomware:

    1. The attackers encrypt your files and you better pray your incremental backup policies are working 100% so you can restore from scratch and fast.

    2. The attackers threaten to publish your data if you do not pay. This is where your encryption policies matter. If your data is correctly encrypted and the encryption keys nowhere to be found, the attackers just have blobs of encrypted data with no means to decrypt it.

    3. The attackers threaten third parties thanks to the data that was extracted from the breach on your servers. If the attackers are truthful in this particular case when stating "...Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios..." you better pray you have the correct policies for compromised keys revocation.

    Ransomware pays less and less and the attackers are now aggressive in stages 2 and 3.
    Reply
  • Droidfreak
    So, any thoughts on potential consequences for MSI users? Provided that I always double-check where I download my BIOS from anyway and have already changed my MSI account password, just in case?
    Reply
  • domih
    Droidfreak said:
    So, any thoughts on potential consequences for MSI users? Provided that I always double-check where I download my BIOS from anyway and have already changed my MSI account password, just in case?

    At this point, this is unclear. MSI just published ass-covering responses so far.

    If the attackers were truthful when they stated "...also we have private keys able to sign BIOS files..." then MSI should probably create new signing keys. What is not clear is whether there will be a mechanism to reject the old keys and accept the new keys on a client computer. If the BIOS installation is a Windows GUI installer, revoking the compromised keys should be possible via the Microsoft revocation when checking the installer signature(s). Just wait for more news from MSI. By now, they should know if the signing keys were actually stolen or not.

    In any case, you are probably fine by only downloading BIOS updates from their site.
    Reply
  • Droidfreak
    domih said:
    If the BIOS installation is a Windows GUI installer
    Tbh I have never seen a BIOS update mechanism that would work like that.
    Probably if the keys were indeed compromised, we can expect some MSI site clones popping up and malicious ads being used to promote them... Bookmarks and password managers to the rescue 🛟
    Reply
  • Sleepy_Hollowed
    Oh boy, this is a bad day for MSI, and much worse for their clients.

    To be honest, I'd steer away from their downloads for a while, until they've been shown to revoke their on the wild certificates.

    If they don't, just don't get anything from them, and make sure to keep opening tickets with them.
    Reply