Supply Chain Risk from Gigabyte App Center Backdoor (May 31, 2023): SoylentNews Submission

Supply Chain Risk from Gigabyte App Center Backdoor (May 31, 2023)

Rejected submission by Anonymous Coward at 2023-06-01 07:14:34

An Anonymous Coward writes:

Supply Chain Risk from Gigabyte App Center Backdoor (May 31, 2023)

Recently, the Eclypsium platform began detecting suspected backdoor-like behavior within Gigabyte systems in the wild. These detections were driven by heuristic detection methods, which play an important role in detecting new, previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. Our follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code is present in hundreds of models of Gigabyte PCs. We are working with Gigabyte to address this insecure implementation of their app center capability.

In the interest of protecting organizations from malicious actors, we are also publicly disclosing this information and defensive strategies on a more accelerated timeline than a typical vulnerability disclosure. This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from affected systems. While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems. At a high level, the relevant attack vectors include:

- Compromise in the supply chain
- Compromise in the local environment
- Malware persistence via functionality of this firmware in systems

A more detailed analysis of these risks is provided with suggested mitigations below. After a more traditional vulnerability disclosure timeline, we plan to publish details about how this works.

(PDF) Gigabyte Affected Models

https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf [eclypsium.com]

Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards

A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.

Millions of PC Motherboards Were Sold With a Firmware Backdoor
Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.

Gigabyte.com - How to Reflash Motherboard BIOS

https://www.gigabyte.com/webpage/20/HowToReflashBIOS.html [gigabyte.com]

"We provide three BIOS flash utilities at our website."

Q-Flash, Windows, DOS

Gigabyte.com - Support - BIOS/Driver/Manual/File download and more

https://www.gigabyte.com/Support [gigabyte.com]

Millions of PC Motherboards Were Sold With a Firmware Backdoor

Some models of Gigabyte motherboards download firmware updates insecurely

* Discussion:

https://news.ycombinator.com/item?id=36138239 [ycombinator.com]

Tons of Gigabyte motherboards come with a hidden firmware backdoor

The backdoor installs software updates from unsecured web servers.