Gigabyte firmware component can be abused as a backdoor

Gigabyte firmware component can be abused as a backdoor

Attackers can abuse the UEFI firmware to inject executable malware code into the Windows kernel, compromising systems.

Credit: Dreamstime

Researchers warn that the UEFI firmware in many motherboards made by PC hardware manufacturer Gigabyte injects executable code inside the Windows kernel in an unsafe way that can be abused by attackers to compromise systems. Sophisticated APT groups are abusing similar implementations in the wild.

"While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organisations with Gigabyte systems," researchers from security firm Eclypsium said in a report.

Executable malware injection from firmware

The Eclypsium researchers came across the vulnerable implementation after their platform triggered detections in the wild for behaviour that seemed consistent with a BIOS/UEFI rootkit. 

Such rootkits, also known as bootkits, are very dangerous and difficult to remove because they reside in the low-level system firmware and inject code inside the operating system every time it boots. This means that reinstalling the OS or even changing the hard disk drive would not remove the infection and it would reappear.

The UEFI firmware is a mini-OS in itself with different modules that handles the hardware initialisation before passing the boot sequence to the bootloader and the installed operating system.

The process of injecting code from firmware into the OS memory has been used before for various feature implementations. For example, some BIOSes come with an anti-theft feature called Absolute LoJack, previously known as Computrace, that allows users to remotely track and wipe their computers if stolen.

The way this is implemented is by having a BIOS agent inject an application into the OS even if it's reinstalled.

Security researchers warned since 2014 that the LoJack Windows agent can be abused and made to connect to a rogue serve. Then in 2018 researchers found the technology being abused by APT28, aka Fancy Bear, a hacking division of the Russian military intelligence service.

The case is similar with Gigabyte's firmware module, which injects a Windows executable into the WPBT ACPI table during system start from where it is automatically executed by the Windows Session Manager Subsystem (smss.exe) and writes a file in the Windows system32 folder called GigabyteUpdateService.exe.

The goal in this case is for the BIOS to automatically deploy a Gigabyte system and driver update application when the BIOS feature called APP Center Download & Install is enabled.

Insecure connections to download server

The Gigabyte update application automatically searches for updates to download and execute by checking three URLs. One of them is a Gigabyte download server over HTTPS, another is the same server but the connection is using plain HTTP, and the third is a URL to a non-qualified domain called software-nas that can be a device on the local network.

Two of the three methods of downloading files are highly problematic. Unencrypted HTTP connections are vulnerable to man-in-the-middle attacks. An attacker sitting on the same network or in control of a router on the network can direct the system to a server under their control and the application would have no way of knowing it's not talking with the real Gigabyte server.

The third URL is equally problematic and even easier to abuse as an attacker on the same network on a compromised system could deploy a web server and set the computer's name to software-nas without even resorting to DNS spoofing or other techniques.

Finally, even the HTTPS connection is vulnerable to man-in-the-middle because the update application doesn't implement server certificate validation correctly, which means attackers could still spoof the server.

Another problem is that even if the Gigabyte tools and updates are digitally signed with a valid signature, the firmware does not perform any digital signature verification or validation over any executables, so attackers could easily abuse the feature.

"The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023)," the Eclypsium researchers said.

"Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named 'IntelUpdater.exe'."

The researchers advise organisations with Gigabyte systems to disable the APP Center Download & Install feature in UEFI and to block the three URLs in firewalls. Organisations can also look for attempted connections to these URLs to detect which systems might be affected on their networks but should more generally look for connections that could originate from similar features from other manufacturers.

Even if not deployed in firmware, applications pre-installed by PC manufacturers on computers can also open vulnerabilities. This was the case with a Lenovo application called Superfish that deployed an untrusted root certificate that could be abused by attackers.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Malware and VulnerabilitiesGigabyte Technology


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments