Listen to this article. This audio was generated by AI.
Eclypsium researchers said hundreds of models of Gigabyte PCs are affected by a backdoor that poses supply chain risks.
Researchers for the supply chain security vendor on Wednesday said Eclypsium's platform recently began detecting "suspected backdoor-like behavior" within systems manufactured by PC hardware vendor Gigabyte Technology. Eclypsium researchers discovered that the backdoor appears to be an intentional "insecure implementation" of the Gigabyte App Center, a tool used to download applications for Gigabyte motherboards.
"Our follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads from Gigabyte servers," the research read. "We are working with Gigabyte to address and mitigate this insecure implementation of their app center capability."
Gigabyte has not responded to TechTarget Editorial's request for comment at press time.
Eclypsium said the Gigabyte implementation is a concern because threat actors have previously taken advantage of legitimate "OEM backdoors" to conduct threat campaigns, providing the example of Russian advanced persistent threat group Fancy Bear exploiting Computrace LoJack using a similar type of flaw.
Given this and the high number of Gigabyte computer models vulnerable to the flaw, researchers said they were worried about the flaw's potential for use in supply chain attacks even though the vendor hasn't seen threat actors exploit the backdoor yet. The Eclypsium report also noted that threat actors could abuse the Gigabyte App Center issue to commit man-in-the-middle attacks or DNS poisoning to compromise targeted systems.
In addition, the firmware fails to implement cryptographic digital signature verification or any other secure validation methods.
"The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques," the research read. "As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure."
John Loucaides, senior vice president of strategy at Eclypsium, said the supply chain risk is particularly noteworthy because threat actors have increasingly used "living-off-the-land" techniques, in which they abuse legitimate management tools and command-line functions rather than deploy malware.
"In the case of this Gigabyte updater, that tool is persistent (comes back when removed), highly privileged, and comes with built-in ability to download and run a payload from the internet," he told TechTarget Editorial in an email.
Loucaides also expressed concern about whether a patch would fully fix the problem, because generally speaking, "the uptake on [users] installing firmware updates has been abysmal."
"Even in the best-case scenarios, [I] would expect that most devices don't get the firmware updates to fix this permanently," he said. "As a result, this becomes a threat for years to come."
Alexander Culafi is a writer, journalist and podcaster based in Boston.