MSI Acknowledges Breach as Money Message Ransomware Group Takes Credit for Cyberattack
- Written by Ari Denial Cybersecurity & Tech Writer
MSI (Micro-Star International Co. Ltd.), a Taiwanese PC manufacturer, has confirmed that it was targeted in a cyberattack by a ransomware. The attack was carried out by the Money Message ransomware group, which claimed to have breached some of MSI’s systems.
As per the group’s claims, they have already stolen files, and if MSI refuses to pay the ransom of $4 million, the group plans to leak the data online next week.
In a press release , MSI disclosed that it was a victim of a “cyberattack,” but the statement was not specific about the type of attack or the identity of the suspected perpetrator.
MSI reported that its information department acted swiftly upon discovering network anomalies and triggered appropriate defense mechanisms to mitigate the attack. The department also executed recovery procedures to restore systems to their normal state.
Additionally, MSI notified government law enforcement agencies and cybersecurity units about the incident to investigate the attack and prevent similar incidents in the future.
As per the discussions between the MSI representative and the ransomware gang, the attackers asked for a ransom amount of $4,000,000.
The group justified the demand by stating that they had accessed and exfiltrated approximately 1.5 terabytes of documents from MSI’s network, which they could leak online.
The Money Message ransomware group has given an ultimatum to MSI, warning the company to fulfill its ransom demands; otherwise, the group will release the stolen files online.
The threat actors behind the MSI ransomware attack have included the company’s name on their data leak website. As of now, the group has shared some screenshots, which they claim are from MSI’s Enterprise Resource Planning (ERP) databases.
They have also published files that include software BIOS firmware, source code and private keys. However, the group has not released the complete data set yet.
Rilide Browser Extension Exploited by Hackers to Steal Cryptocurrency by Bypassing 2FA
- Written by Ari Denial Cybersecurity & Tech Writer
A new malicious browser extension named Rilide has been uncovered by security researchers. The extension targets Chromium-based products such as Google Chrome, Brave, Opera, and Microsoft Edge. The malware is programmed to keep an eye on browsing activity, capture screenshots, and use scripts injected into web pages to steal cryptocurrency.
Once the Rilide extension is loaded into the browser, it disguises itself as a Google Drive extension. However, behind the scenes, it simultaneously monitors the active tabs for specific websites, which comprise popular cryptocurrency exchanges and email providers like Gmail and Yahoo.
Upon identifying a targeted website, the extension removes the Content Security Policy headers provided by the legitimate website and introduces its own malicious code for executing content manipulations.
This is significant as websites utilize CSP to inform browsers about which scripts to permit for execution on the site.
The Rilide extension injects various scripts into websites, some of which can take screenshots of the active tabs and alert a command-and-control server when a targeted website is open. Additionally, other scripts are designed to automatically withdraw assets while simultaneously displaying a phony dialog box that prompts the user to input their two-factor authentication code.
After the actions are executed, automated emails containing codes are sent by many websites to the user to verify the transaction. The Rilide extension can modify these emails in Gmail, Hotmail or Yahoo web interfaces with emails that seem to have been sent to authorize a new device to access the account, which is also a process that employs the same 2FA workflow.
When accessing their accounts, users may have previously been prompted to reauthorize their browsers by inputting 2FA codes received via email. This is a common security measure triggered by expiring authenticated sessions and periodically resetting saved 2FA statuses.
This technique was used to steal assets from cryptocurrency exchanges, but it can be adapted for other websites that use email-based multi-factor authentication. Therefore, organizations should consider using more secure methods, such as mobile authenticator apps or physical USB-based authentication devices, when deploying 2FA even on third-party services.
