Cybersecurity researchers have discovered “backdoor-like behavior” in Gigabyte systems. This allows the device’s UEFI firmware to drop Windows executables and retrieve updates in an insecure format.
Firmware security company Eclypsium announced that it first detected the anomaly in April 2023. Since then, Gigabyte has recognized and addressed this issue.
“Most of Gigabyte’s firmware has Windows native binary executables embedded within the UEFI firmware,” John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.
“A detected Windows executable is dropped onto disk and executed as part of the Windows boot process, similar to a LoJack double-agent attack. This executable then downloads additional binaries in an insecure manner. and run it.”
“Only the intent of the author can distinguish this kind of vulnerability from a malicious backdoor,” added Loucaides.
Per Eclypsium, the executable is embedded in the UEFI firmware, written to disk by the firmware as part of the system boot process, and then launched as an update service.
A .NET-based application is configured to download and execute payloads over plain HTTP from Gigabyte’s update servers, exposing the process to man-in-the-middle (AitM) attacks through compromised routers It will be.
Loucaides said the software “appears to have been intended as a legitimate update application” and that the issue could affect “a system of approximately 364 gigabytes containing approximately 7 million devices.” It pointed out.
As attackers are constantly looking for ways to remain undetected and have a minimal footprint, vulnerabilities in the privileged firmware update mechanism have the potential to subvert all security controls running on the operating system plane. It could pave the way for some stealth firmware implants.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Worse, since the UEFI code resides on the motherboard, malware injected into the firmware can persist even if the drive is wiped and the operating system is reinstalled.
We recommend that organizations apply the latest firmware updates to minimize potential risks. Also, he recommends inspecting and disabling the “APP Center download and install” feature in the UEFI/BIOS setup and setting a BIOS password to deter malicious changes.
“Firmware updates are notorious for not reaching end users,” Rucaides said. Therefore, it is easy to understand if you think that the firmware update app may be useful.
“But the irony of a very insecure update application that automatically downloads and executes a payload back into the firmware is not lost.”
