Researchers have discovered a bug security on Gigabyte motherboards identifying backdoors in the App Center a feature to download and run ‘software’ on reboot, which malicious actors can exploit to install ‘malware’ on computers.
Back doors or security holes refer to failures that allow security measures of computer systems to be circumvented. In this sense, cybercriminals make use of these failures to carry out operations in an unsupervised manner, such as infect the device with ‘malware’ or steal data.
In this case, investigators of the Eclipse have discovered a security flaw in Gigabyte motherboards that malicious actors could exploit to store ‘software’ in the motherboard’s UEFI ‘firmware’.
He ‘firmware’ UEFI is the technology that allows the computer to turn on. Therefore, this bug could pose a major security problem, since it could install malicious software in the component that allows and directs the logon of the operating system of the computer. That is, ‘malware’ could be installed before the operating system could identify it with protections or antivirus.
As they have explained from Eclypsium in a statement on their website, their follow-up analyzes were able to verify that the ‘firmware’ in the Gigabyte systems were downloading and running “a native Windows executable”, during the system startup process. After that, that same executable is in charge of download and activate “additional payloads in an insecure manner”.
More specifically, backdoors that could allow the installation of ‘software’ in the UEFI ‘firmware’ have been found in the App Center function a tool for download and run ‘software’ when restarting the computer and therefore before the operating system is released.
As the researchers explain, malicious actors take advantage of these holes in the App Center to install malicious ‘software’ before loading the operating system what makes it undetectable for antivirus and very difficult to remove.
As analyzed, it has been found that this same code is present in “hundreds of Gigabyte PC models”. In this regard, from Eclypsium they have stressed that they are working with the technology firm to “address this insecure implementation of the Application Center capacity.”
However, they have also pointed out that, for the moment, the ongoing investigation has not confirmed exploitation by a specific threat actor. However, they have warned that “an active widespread backdoor that is difficult to eliminate represents a supply chain risk for organizations with Gigabyte systems.”
For his part, from Gigabyte They have reported that they remain committed to promoting “close collaboration with the relevant units”, as well as implement strong security measures to “protect users”.
In this regard, as the technology company has explained in a statement on its website, its team of engineers has “mitigated potential risks” and has uploaded the new Beta BIOS of Intel 700/600 and AMD 500/400 series to the official website after “carrying out exhaustive tests and validations” on the motherboards of the technology firm.
Likewise, they have strengthened the security of the system by implementing “tighter” security controls during the operating system startup process in order to prevent potential malicious activity.
These security measures are, on the one hand, the signature Verification, which reinforces the validation process of downloaded files on remote servers and, therefore, does not allow the insertion of malicious code.
On the other hand, they have limited privileged access. This ensures that files are downloaded exclusively from servers with “valid and trusted” certificates, as developed by Gigabyte.
In addition to all this, in order to use Gigabyte systems or systems with a motherboard that could be affected, from Eclypsium recommend some security measures to avoid infections.
First, they have pointed out the importance of scanning and monitoring systems and firmware updates to detect affected systems. Also, it should update the system to the latest validated ‘firmware’ and ‘software’.
Another measure to take into account is disable the ‘Download and install’ function of the Application Center is. This will need to be selected in the UEFI settings on Gigabyte systems.
At the moment, this error continues to be investigated to discover any signs of related malicious activity.