Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards

A backdoor feature found in hundreds of Gigabyte motherboard models can pose a significant supply chain risk to organizations.

Gigabyte backdoor

Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations.

The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform. 

Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers. 

The payload is downloaded over an insecure connection – HTTP or improperly configured HTTPS — and the file’s legitimacy is not verified. 

There is no evidence that the backdoor has been leveraged for malicious purposes and the feature appears related to the Gigabyte App Center, which is documented on the company’s website. 

However, Eclypsium said it’s difficult to conclusively rule out that it is a malicious backdoor planted from within Gigabyte — either by a malicious insider or as a result of the company’s systems being compromised. It’s also difficult to definitively rule out that the backdoor was planted somewhere in the supply chain. 

Even if the feature is legitimate, the cybersecurity firm warned that it could end up being abused by threat actors. It’s not uncommon for skilled hackers to take advantage of such tools in their attacks. 

UEFI rootkits have in many cases been used to ensure that Windows malware can persist on a compromised system and this backdoor can be useful for that purpose. In addition, these types of firmware backdoors can be difficult to remove. 

Advertisement. Scroll to continue reading.

Eclypsium also warned that hackers could take advantage of the insecure connection between the system and Gigabyte servers to replace the payload through a man-in-the-middle (MitM) attack. 

Eclypsium has published a list of more than 270 affected motherboard models — this indicates that millions of devices likely have the backdoor. The company said it has been working with Gigabyte to address the issue, which will likely require a firmware update.

SecurityWeek has reached out to Gigabyte for comment and will update this article if the company responds. 

Threat actors have been known to target Gigabyte products in their attacks, including with sophisticated UEFI rootkits.

Related: Security Flaws in AMI BMC Can Expose Many Data Centers, Clouds to Attacks

Related: Secure Boot Bypass Flaws Affect Bootloaders of Many Devices Made in Past Decade

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...