Recently, the cybersecurity firm Eclypsium discovered suspected backdoor-like activities within Gigabyte systems. The platform’s heuristic detection methods uncovered the new supply chain threats, where legitimate third-party technologies are compromised. The primary concern lies with Gigabyte system firmware executing a Windows native executable during the system startup process. This executable proceeds to insecurely download and execute additional payloads. This bears similarity to other Original Equipment Manufacturer (OEM) backdoor-like behaviors, such as the Computrace backdoor, which are frequently exploited by threat actors.
Following this discovery, it was observed that the same code exists across hundreds of Gigabyte PC models. As a proactive measure, Eclypsium and Gigabyte are collaborating to rectify this insecure implementation of their app center functionality. Given the widespread presence of the backdoor, which is challenging to remove and could pose supply chain risks, the key attack vectors primarily include supply chain compromise, local environment compromise, and malware persistence through this firmware functionality.
The investigation uncovered two crucial aspects:
- The firmware on Gigabyte systems was found to be dropping an executable Windows binary during startup.
- This binary then insecurely downloads and executes additional payloads from the internet.
The process involved is similar to techniques used by other UEFI firmware implants such as LoJax, MosiacRegressor, MoonBounce, and Vector-EDK.
The suspicious firmware introduces a plethora of risks, including:
- Exploitation of OEM backdoor software by threat actors, as previously witnessed with Computrace LoJack.
- Possible compromise of OEM update infrastructure and supply chain.
- Persistence of UEFI rootkits and implants, which are extremely stealthy and potent forms of malware.
- Exposure to MITM attacks on firmware and software update features due to the insecure update process.
- Persistence of unwanted behavior within official firmware, making removal efforts challenging.
Eclypsium recommends increased vigilance when using Gigabyte systems or systems with affected motherboards. To mitigate risk, organizations should regularly scan and monitor their systems and firmware updates to identify affected systems and detect backdoor-like tools embedded in the firmware. It is crucial to keep systems updated with the latest validated firmware and software to address security issues such as this one. Additionally, the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems should be inspected and disabled, and a BIOS password should be set to prevent malicious changes.
This case underscores the importance of robust and thorough cybersecurity measures, not only at the software level but also at the hardware and firmware levels. As cyber threats evolve and become more sophisticated, the cyber defense mechanisms need to keep pace. Thus, the need for continued vigilance, technological advancement, and collaboration between tech companies and cybersecurity firms remains paramount.