Cybersecurity firm Eclypsium has uncovered a potential backdoor in Gigabyte systems, raising concerns about the security of the technology supply chain.
Gigabyte Firmware Code Injection
Researchers from Eclypsium have discovered this vulnerable implementation during their investigation of behavioral patterns resembling a BIOS/UEFI rootkit. Such rootkits, known as bootkits, exist within the low-level system firmware and inject code into the operating system in each boot cycle, making them difficult to remove even if the user reinstalls the OS or replaces the hard disk drive.
The vulnerable code was reportedly found in hundreds of models of Gigabyte PCs, posing a significant supply chain risk. While no specific exploitation by threat actors has been confirmed, the security experts said the existence of a widespread backdoor that is difficult to remove raises severe concerns for firms relying on Gigabyte systems.
Security researchers have long warned about the potential misuse of the LoJack agent, which can be used to connect to unauthorized servers. They found evidence in 2018 that APT28 (aka Fancy Bear) had exploited the feature.
According to the executive, an intelligent attacker will not rely on an obvious backdoor. Instead, they will introduce a common vulnerability that looks accidental.
The discovery of “backdoor-like behavior” in Gigabyte systems raises serious concerns about the security of UEFI firmware and the potential consequences of vulnerabilities in the firmware update process.
- Disable the APP Center Download & Install feature in UEFI.
- Monitor connections to these URLs to identify systems that may be affected on the network.
- Stay vigilant against similar features from other manufacturers, as pre-installed applications on PCs can also introduce vulnerabilities.