Cybersecurity researchers have discovered “backdoor-like behavior” in Gigabyte systems, which they say allows a device’s UEFI firmware to drop Windows executables and fetch updates in an insecure format.
Firmware security company Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
“Most Gigabyte firmware includes a Windows Native Binary executable built into the UEFI firmware,” John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.
“The detected Windows executables are dropped to disk and run as part of the Windows startup process, similar to LoJack’s double agent attack. This executable then downloads and runs additional binaries via insecure methods.”
“Only the author’s intent can distinguish these kinds of vulnerabilities from malicious backdoors,” Loucaides added.
The executable, per Eclypsium, is embedded into the UEFI firmware and written to disk by the firmware as part of the system boot process and then launched as an update service.
NET-based applications, for their part, are configured to download and execute payloads from Gigabyte update servers over plain HTTP, thereby exposing processes to adversary-in-the-middle (AitM) attacks via compromised routers.
Loucaides said the software “appears to be intended as a legitimate update application,” noting that the issue could potentially impact “approx 364 Gigabyte system with a rough estimate of 7 million devices.”
With threat actors constantly looking for ways to remain undetected and leave minimal traces of intrusion, vulnerabilities in privileged firmware update mechanisms could pave the way for hidden UEFI bootkits and implant which can subvert all security controls running on the operating system plane.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Even worse, because the UEFI code resides on the motherboard, malware injected into the firmware can survive even if the drive is wiped and the operating system is reinstalled.
Organizations are advised to apply the latest firmware updates to minimize potential risks. It is also recommended that you check and disable the “Download & Install APP Center” feature in UEFI/BIOS Settings and set a BIOS password to prevent malicious changes.
“Firmware updates have low uptake with end users,” said Loucaides. “Therefore, it’s easy to understand thinking that an update app in the firmware can help.”
“However, the irony of a highly insecure update application, reserved to the firmware for automatic download and execution of payloads, is not lost.”