Eclypsium, a firmware-focused cybersecurity company, has shared a list of 271 motherboards sold by GIGABYTE that, according to researchers, include a hidden backdoor in the firmware that could be used by attackers to install malware onto a system. “Our […] analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely,” Eclypsium explained in a blog post dated today that details the company’s key findings, including the level of impact and what organizations with the affected motherboards can do to minimize risk. Eclypsium says it’s working with GIGABYTE to address the issue, which appears to stem from the App Center feature.
From an Eclypsium post:
This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from affected systems. While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems.
The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.