Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices

11 months ago AndyC

May
31,
2023Ravie
LakshmananFirmware
Security
/
Vulnerability

Cybersecurity
researchers
have
found
“backdoor-like
behavior”
within
Gigabyte
systems,
which
they
say
enables
the

UEFI
firmware
of
the
devices
to
drop
a
Windows
execu

Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices



May
31,
2023Ravie
LakshmananFirmware
Security
/
Vulnerability


Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices

Cybersecurity
researchers
have
found
“backdoor-like
behavior”
within
Gigabyte
systems,
which
they
say
enables
the

UEFI
firmware
of
the
devices
to
drop
a
Windows
executable
and
retrieve
updates
in
an
unsecure
format.

Firmware
security
firm
Eclypsium

said
it
first
detected
the
anomaly
in
April
2023.
Gigabyte
has
since
acknowledged
and
addressed
the
issue.

“Most
Gigabyte
firmware
includes
a
Windows
Native
Binary
executable
embedded
inside
of
the
UEFI
firmware,”
John
Loucaides,
senior
vice
president
of
strategy
at
Eclypsium,
told
The
Hacker
News.

“The
detected
Windows
executable
is
dropped
to
disk
and
executed
as
part
of
the
Windows
startup
process,
similar
to
the

LoJack
double
agent
attack.
This
executable
then
downloads
and
runs
additional
binaries
via
insecure
methods.”

“Only
the
intention
of
the
author
can
distinguish
this
sort
of
vulnerability
from
a
malicious
backdoor,”
Loucaides
added.

The
executable,
per
Eclypsium,
is
embedded
into
UEFI
firmware
and
written
to
disk
by
firmware
as
part
of
the
system
boot
process
and
subsequently
launched
as
an
update
service.

The
.NET-based
application,
for
its
part,
is
configured
to
download
and
execute
a
payload
from
Gigabyte
update
servers
over
plain
HTTP,
thereby
exposing
the
process
to
adversary-in-the-middle
(AitM)
attacks
via
a

compromised
router.

Loucaides
said
the
software
“seems
to
have
been
intended
as
a

legitimate
update
application,”
noting
the
issue
potentially
impacts
“around

364
Gigabyte
systems
with
a
rough
estimate
of
7
million
devices.”

With
threat
actors
constantly
on
the
lookout
for
ways
to
remain
undetected
and
leave
a
minimal
intrusion
footprint,
vulnerabilities
in
the
privileged
firmware
update
mechanism
could
pave
the
way
for

stealthy
firmware
implants
that
can
subvert
all
security
controls
running
in
the
operating
system
plane.


UPCOMING
WEBINAR

Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!

Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!

Save
My
Seat!

To
make
matters
worse,
since
the
UEFI
code
resides
on
the
motherboard,
malware
injected
to
the
firmware
can
persist
even
if
drives
are
wiped
and
the
operating
system
is
reinstalled.

Organizations
are
advised
to
apply
the
latest
firmware
updates
to
minimize
potential
risks.
It’s
also
advised
to
inspect
and
disable
the
“APP
Center
Download
&
Install”
feature
in
UEFI/BIOS
Setup
and
set
a
BIOS
password
to
deter
malicious
changes.

“Firmware
updates
have
notoriously
low
uptake
with
end
users,”
Loucaides
said.
“Therefore,
it
is
easy
to
understand
thinking
that
an
update
application
in
firmware
may
help.”

“However,
the
irony
of
a
highly
insecure
update
application,
backed
into
firmware
to
automatically
download
and
run
a
payload,
is
not
lost.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

4 hours ago AndyC
China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

4 hours ago AndyC
New Case Study: The Malicious Comment

New Case Study: The Malicious Comment

4 hours ago AndyC
Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Google Simplifies 2-Factor Authentication Setup (It’s More Important Than Ever)

4 hours ago AndyC
Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering

Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering

4 hours ago AndyC
Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

22 hours ago AndyC

You may have missed

Opening more opportunities for VMware Cloud Service Providers

Opening more opportunities for VMware Cloud Service Providers

36 mins ago AndyC

Accelerating SaaS security certifications to maximize market access

3 hours ago AndyC

Empowering Cybersecurity with AI: The Future of Cisco XDR

3 hours ago AndyC
Red Hat seeks to shrink IT skills gap with Lightspeed gen AI

Red Hat seeks to shrink IT skills gap with Lightspeed gen AI

4 hours ago AndyC
3+ reasons Apple might want to make its own server chips

3+ reasons Apple might want to make its own server chips

4 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.