www.csoonline.com
Open in
urlscan Pro
151.101.194.165
Public Scan
URL:
https://www.csoonline.com/article/3698189/gigabyte-firmware-component-can-be-abused-as-a-backdoor.html
Submission: On June 01 via api from TR — Scanned from DE
Submission: On June 01 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET * RELATED STORIES * MoonBounce UEFI implant used by spy group brings firmware security into... * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * Flaws in Dell's over-the-air device recovery and update impacts millions of... * New exploits can bypass Secure Boot and modern UEFI security protections * Home * Security * Malware News Analysis GIGABYTE FIRMWARE COMPONENT CAN BE ABUSED AS A BACKDOOR ATTACKERS CAN ABUSE THE UEFI FIRMWARE TO INJECT EXECUTABLE MALWARE CODE INTO THE WINDOWS KERNEL, COMPROMISING SYSTEMS. * * * * * * * By Lucian Constantin CSO Senior Writer, CSO | 31 May 2023 18:57 Justin (CC BY-SA 2.0) Researchers warn that the UEFI firmware in many motherboards made by PC hardware manufacturer Gigabyte injects executable code inside the Windows kernel in an unsafe way that can be abused by attackers to compromise systems. Sophisticated APT groups are abusing similar implementations in the wild. "While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems," researchers from security firm Eclypsium said in a report. EXECUTABLE MALWARE INJECTION FROM FIRMWARE The Eclypsium researchers came across the vulnerable implementation after their platform triggered detections in the wild for behavior that seemed consistent with a BIOS/UEFI rootkit. Such rootkits, also known as bootkits, are very dangerous and difficult to remove because they reside in the low-level system firmware and inject code inside the operating system every time it boots. This means that reinstalling the OS or even changing the hard disk drive would not remove the infection and it would reappear. The UEFI firmware is a mini-OS in itself with different modules that handles the hardware initialization before passing the boot sequence to the bootloader and the installed operating system. The process of injecting code from firmware into the OS memory has been used before for various feature implementations. For example, some BIOSes come with an anti-theft feature called Absolute LoJack, previously known as Computrace, that allows users to remotely track and wipe their computers if stolen. The way this is implemented is by having a BIOS agent inject an application into the OS even if it's reinstalled. Security researchers warned since 2014 that the LoJack Windows agent can be abused and made to connect to a rogue serve. Then in 2018 researchers found the technology being abused by APT28, aka Fancy Bear, a hacking division of the Russian military intelligence service. The case is similar with Gigabyte's firmware module, which injects a Windows executable into the WPBT ACPI table during system start from where it is automatically executed by the Windows Session Manager Subsystem (smss.exe) and writes a file in the Windows system32 folder called GigabyteUpdateService.exe. The goal in this case is for the BIOS to automatically deploy a Gigabyte system and driver update application when the BIOS feature called APP Center Download & Install is enabled. INSECURE CONNECTIONS TO DOWNLOAD SERVER The Gigabyte update application automatically searches for updates to download and execute by checking three URLs. One of them is a Gigabyte download server over HTTPS, another is the same server but the connection is using plain HTTP, and the third is a URL to a non-qualified domain called software-nas that can be a device on the local network. Two of the three methods of downloading files are highly problematic. Unencrypted HTTP connections are vulnerable to man-in-the-middle attacks. An attacker sitting on the same network or in control of a router on the network can direct the system to a server under their control and the application would have no way of knowing it's not talking with the real Gigabyte server. The third URL is equally problematic and even easier to abuse as an attacker on the same network on a compromised system could deploy a web server and set the computer's name to software-nas without even resorting to DNS spoofing or other techniques. Finally, even the HTTPS connection is vulnerable to man-in-the-middle because the update application doesn't implement server certificate validation correctly, which means attackers could still spoof the server. Another problem is that even if the Gigabyte tools and updates are digitally signed with a valid signature, the firmware does not perform any digital signature verification or validation over any executables, so attackers could easily abuse the feature. "The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023)," the Eclypsium researchers said. "Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named 'IntelUpdater.exe'." The researchers advise organizations with Gigabyte systems to disable the APP Center Download & Install feature in UEFI and to block the three URLs in firewalls. Organizations can also look for attempted connections to these URLs to detect which systems might be affected on their networks but should more generally look for connections that could originate from similar features from other manufacturers. Even if not deployed in firmware, applications pre-installed by PC manufacturers on computers can also open vulnerabilities. This was the case with a Lenovo application called Superfish that deployed an untrusted root certificate that could be abused by attackers. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Malware * Vulnerabilities Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Follow * * * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS