HQ/EMEAFind out how we can help your business
Recent research discovered a seemingly backdoor type of behaviour in Gigabyte systems. Researchers explained that the backdoor is like a flaw that could enable the UEFI firmware of the compromised device to drop Windows executables and recover updates in an unsecured format.
Moreover, most of the Gigabyte firmware includes a Windows Native Binary executable stored inside the UEFI firmware. The flaw could drop to disk and run as part of the Windows startup sequence, like the Lojack double agent campaign. Next sequence of the exploit is that the executable downloads and operates additional binaries via insecure processes.
The researchers also emphasised that the author’s intention could only identify the vulnerability from a malicious backdoor. In addition, the executable that resides in the UEFI firmware is coded to disk by the firmware as part of the system boot process and is eventually launched as an update service.
The dot net-based app is configured to download and run a payload from Gigabyte update servers over simple HTTP, exposing the process to attacks, such as adversary-in-the-middle (AitM) through a compromised router.
This newly discovered Gigabyte firmware vulnerability could potentially impact at least seven million devices.
According to initial investigations, the software seems to have been intended as a genuine update app. This process could potentially affect nearly 370 Gigabyte systems which could result in the compromise of 7 million devices.
Cybersecurity experts also believe this new firmware update mechanism could allow different threat groups to construct stealthy UEFI bootkits since most constantly search for methods to enable their attacks to remain undetected and avoid threat analysis. Furthermore, these threat actors could use implants that could subvert security controls that run in the targeted operating system plane.
The malware injected into the firmware could persist even if the driver exits and the OS undergoes reinstallation since the UEFI code resides on the motherboard.
Experts advise organisations to get the latest firmware patch to mitigate the vulnerability’s potential risks. Everyone should also inspect and disable the APP Center Download and Install tool in the UEFI and BIOS Setup.
Cybersecurity experts recommend setting a BIOS password to avoid malicious changes during flaw exploits.
