Cybersecurity firm Eclypsium has discovered a potential backdoor in Gigabyte Systems, raising concerns about the security of the technology supply chain.
In a blog post Wednesday, the company said it used automated heuristics to detect suspicious behavior within Gigabyte systems.
Further analysis revealed that the firmware on these systems dropped and executed a Windows native executable during the system boot process. The executable then downloads an additional payload and executes it in an insecure way.
Eclypsium explained that this backdoor mechanism has similarities to other OEM backdoor-like functionality and firmware implants previously exploited by threat actors.
For more information on similar malware tools, see MQsTTang, a new backdoor attributed to Mustang Panda Group.
The potential risks associated with this backdoor expose organizations to threats such as supply chain and local environment compromise, and malware persistence via the functionality of this firmware within systems.
The vulnerable code was reportedly found in hundreds of models of Gigabyte PCs, posing a significant risk to the supply chain. While no specific threat actor exploits have been identified, security experts say the presence of widespread backdoors that are difficult to remove raises serious concerns for companies that rely on Gigabyte’s systems. Stated.
Jeff Williams, co-founder and CTO of Contrast Security, commented, “Almost all security work is focused on inadvertent vulnerabilities created innocently by developers.”
“But imagine you’re a malicious developer trying to Trojanize your company’s software with a backdoor.”
Smart attackers don’t rely on obvious backdoors, said the executive. Instead, a common vulnerability that appears to be accidental is introduced.
“That way, even if a backdoor is detected, we can still maintain a valid denial. is inherently impossible, in which case we may never know,” Williams added.
To address this issue, Eclypsium has confirmed that they are now working closely with Gigabyte to fix the insecure implementation of the App Center feature.
The advisory comes just weeks after Symantec’s threat hunters team shared its findings on a new backdoor being used in attacks targeting organizations in South and Southeast Asia.
Editorial image credit: RSplaneta / Shutterstock.com
