Gandalf_The_Grey
Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 6,505
Recently, the Eclypsium platform began detecting suspected backdoor-like behavior within Gigabyte systems in the wild.
These detections were driven by heuristic detection methods, which play an important role in detecting new, previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised.
Our follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely.
It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.
Subsequent analysis showed that this same code is present in hundreds of models of Gigabyte PCs.
We are working with Gigabyte to address this insecure implementation of their app center capability.
Supply Chain Risk from Gigabyte App Center Backdoor - Eclypsium | Supply Chain Security for the Modern Enterprise
Updates: 1. Gigabyte has published updates related to this issue. See the Gigabyte advisory for details. 2. Eclypsium has released a PowerShell script to Github that can assist in determining whether a system is impacted. The script compares the motherboard model to the list of models known...
eclypsium.com
Millions of PC Motherboards Were Sold With a Firmware Backdoor
Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.
www.wired.com