Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.
"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."
"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.
The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.
The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.
Loucaides said the software "seems to have been intended as a legitimate update application," noting the issue potentially impacts "around 364 Gigabyte systems with a rough estimate of 7 million devices."
With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy UEFI bootkits and implants that can subvert all security controls running in the operating system plane.
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
To make matters worse, since the UEFI code resides on the motherboard, malware injected to the firmware can persist even if drives are wiped and the operating system is reinstalled.
Organizations are advised to apply the latest firmware updates to minimize potential risks. It's also advised to inspect and disable the "APP Center Download & Install" feature in UEFI/BIOS Setup and set a BIOS password to deter malicious changes.
"Firmware updates have notoriously low uptake with end users," Loucaides said. "Therefore, it is easy to understand thinking that an update application in firmware may help."
"However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost."
Gigabyte Releases Firmware to Address Critical Flaw
Gigabyte has released firmware updates to fix security vulnerabilities impacting several motherboards that could be exploited to install persistent malware.
The Taiwanese company also said it has implemented stricter security checks, including signature verification and privilege access limitations, during the operating system boot process to detect and prevent any possible malicious activities.
The issue stems from the manner Gigabyte motherboards leverage a legitimate feature called Windows Platform Binary Table (WPBT) to automatically install an auto-update application in the operating system.
"The WPBT allows vendors and OEMs to run an .exe program in the UEFI layer," Microsoft notes in its documentation. "Every time Windows boots, it looks at the UEFI, and runs the .exe. It's used to run programs that aren't included with the Windows media."
The flaws identified by Eclypsium meant that the process could be exploited by a threat actor to deliver a trojanized version of the executable by means of an adversary-in-the-middle (AitM) attack.