Experts from firmware and hardware security company Eclypsium said that hundreds of Gigabyte motherboard models contain a backdoor that could pose a significant risk to organizations.
Eclypsium specialists speak about the presence of a backdoor, based on the behavior associated with this functionality, which caused trigger of alerts on the company’s platform.
Let me remind you that we also talked about Cybercriminals deliver backdoor to victims’ computers with NVIDIA driver, and also that Prynt Stealer Malware Contains a Backdoor and Steals Data from Hackers.
Also, information security specialists wrote that New PowerShell Backdoor Masquerades as a Windows Update.
In particular, the researchers determined that the firmware of many Gigabyte motherboards contains a Windows binary that is executed when the operating system boots. This file then downloads and launches another payload received from the Gigabyte servers.
It is noted that the payload is loaded via an insecure connection (HTTP or incorrectly configured HTTPS) and the legitimacy of the file is not checked in any way.
Experts admit that there is no evidence that this backdoor was used for malicious purposes, and the functionality itself is associated with the Gigabyte App Center, and this is confirmed by the documentation on the manufacturer’s website.
However, according to representatives of Eclypsium, it is difficult to completely rule out the possibility that this is a malicious backdoor that penetrated Gigabyte’s firmware either through the efforts of intruders or as a result of hacking the company’s systems. It’s also hard to tell if the backdoor wasn’t introduced into the firmware while the hardware was moving up the supply chain.
Even if this is legitimate functionality, experts warn that it can still be exploited by attackers, and hackers often use such tools in their attacks.
Eclypsium also emphasizes that hackers can use an insecure connection between the system and Gigabyte servers to spoof the payload and implement a man-in-the-middle attack.
Eclypsium includes a list of over 270 Gigabyte motherboards affected by this issue with its report. That is, the backdoor is probably present on millions of devices.
The company says it is working with Gigabyte to resolve the issue (which will likely require a firmware update). However, there has been no official comment from Gigabyte yet.