MSI hit in cyberattack, warns against installing knock-off firmware

Owners of MSI-brand motherboards, GPUs, notebooks, PCs, and other equipment should exercise caution when updating their device’s firmware or BIOS after the manufacturer revealed it has recently suffered a cyberattack.

In a statement shared on Friday, MSI urged users “to obtain firmware/BIOS updates only from its official website,” and to avoid using files from other sources.

While this may sound like common sense, it’s not unusual to find custom BIOS firmware for PC hardware, particularly for GPUs, floating around enthusiast forums. However, the reason behind MSI’s warning may have more to do with the kinds of data allegedly stolen during the attack.

As reported earlier this week, a group of ne’er-do-wells known as Money Message bragged on their dark-web site what they claimed to be screenshots of MSI’s CTMS and ERP databases, as well as source code, private keys, and BIOS firmware.

That’s material that really shouldn’t fall into the wrong hands as it can be used to create malicious firmware clones, which folks could be tricked into trusting and installing.

Indeed, the gang claims to have all the tools necessary to develop a potentially malicious BIOS and then digitally sign it in a way that it appears legitimate and can be installed on victims’ PCs once they’re lured into downloading it. Assuming the miscreants haven’t poisoned MSI’s downloads, you’ll really want to avoid installing what turns out to be malware at the firmware level and instead stick to the official updates.

Additionally, the crew has threatened to release this data, allegedly totaling 1.5TB, unless MSI pays a $4 million ransom within the next few days.

In its statement, MSI did not address the extent of the security breach, nor what was stolen, stating only that it “detected network anomalies,” and its IT department “activated relevant defense mechanisms and carried out recovery measures.”

The hardware maker said it reported the intrusion to the cops and cybersecurity agencies. It also downplayed any potential repercussions, stating that it had returned to normal operations and didn’t anticipate any “significant impact” to its financials. However, it’s not clear at this point whether customer data was compromised in the network breach.

The Register reached out to MSI for comment; we’ll let you know if we hear anything back.

The apparent theft comes less than a month after Acer, another prominent PC maker, suffered a cyberattack of its own. In that case, a 160GB database containing confidential information was allegedly exfiltrated and offered for sale on the now defunct hacker bazaar Breach Forums. ®

READ MORE HERE