Gigabyte security vulnerability affecting approximately 7 million devices

Eclypsium cybersecurity researchers have discovered a "backdoor-like" security vulnerability in 271 of the nearly 7 million motherboards sold by Gigabyte. A Windows executable file "lurks" in the device's UEFI firmware and retrieves updates in an insecure format, triggering a hidden update program.

Eclypsium notes that a potential attacker could use this mechanism to install malicious programs without the user's knowledge, and subsequently make them difficult to detect and remove.

Eclypsium claims it first detected the anomaly in April 2023 and has since notified Gigabyte, which has acknowledged and resolved the issue.

John Loucaides, senior vice president of strategy at Eclypsium, said that most GIGABYTE firmware includes a Windows native binary executable embedded in a UEFI firmware. The Windows executable that the researchers detected was placed on disk and executed as part of the Windows boot process, similar to a LoJack dual agent attack, where the executable downloads and runs other binaries through insecure methods.

It is worth noting that, according to Eclypsium, Windows executables are embedded in UEFI firmware and written to disk by the firmware as part of the system boot process, and subsequently launched as an update service. For its part, the .NET-based application was configured to download and execute the payload from the GIGABYTE update server via normal HTTP, thus exposing the process to adversary-in-the-middle (AitM) attack through a compromised router.

Loucaides added that the software appears to be acting as a legitimate update application that could affect approximately 364 GIGABYTE systems, with a rough estimate of 7 million devices.

As threat attackers continue to find ways to go undetected or leave minimal intrusion traces, vulnerabilities in the privileged firmware update mechanism could pave the way for covert UEFI bootloaders and implants that could subvert all security controls running in the operating system.

Even worse, since the UEFI code is located on the motherboard, malware injected into the firmware can persist even after wiping the drive and reinstalling the OS. Therefore, it is recommended to apply the latest firmware update as soon as possible to minimize potential security risks. In addition, users should also immediately check and disable the feature "APP Center Download and Install" in the UEFI/BIOS settings and set BIOS password to prevent malicious changes.