Cyber Security Threat Summary:
This should be treated as Critical if you are a user of Gigabyte systems.
We may upgrade this to High severity should reports of active exploitation occur.

Summary: Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK (Security Affairs, 2023).

The researchers found this behavior is present in hundreds of models of Gigabyte PCs. According to the researchers, the backdoor appears to be intentionally functional and would require a firmware update to completely remove from impacted systems. “While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems.”

Security Officer Comments:
Eclypsium says they first detected the strange behavior back in April of 2023. The researchers found and analyzed the impacted UEFI firmware and found a BIN file that is a Windows Native Binary executable. The firmware writes this executable to the disk as part of the system boot process, a technique that is commonly used in UEFI implants.

The executable is a .NET application that can be used to download and execute additional payloads. The experts pointed out that the use of HTTP opens the doors to Machine-in-the-middle (MITM) attacks. The researchers also noticed that even when using the HTTPS protocol, the validation of the remote server certificate is not implemented correctly allowing MITM attacks also in that case.

The firmware does not support digital signature verification for executables. “The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers).” continues the report. “As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure” (Eclypsium, 2023).

Suggested Correction(s):
Eclypsium says the backdoor behavior likely impacts more than 300 Gigabyte systems. These issues expose organizations wide a wide range of attack scenarios:

Abuse of an OEM backdoor by threat actors.
Compromise of the OEM update infrastructure and supply chain.
Persistence using UEFI Rootkits and Implants.
MITM attacks on firmware and software update features.
Ongoing risk due to unwanted behavior within official firmware.


Eclypsium recommends the following actions to minimize the risk:

Scan and monitor systems and firmware updates. Update systems to the latest validated firmware and software. Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes. Block the URLs included in the report.

Link(s):
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
https://securityaffairs.com/146892/hacking/backdoor-like-behavior-gigabyte-systems.html