Researchers warn that the UEFI firmware in many motherboards made by PC hardware manufacturer Gigabyte injects executable code inside the Windows kernel in an unsafe way that can be abused by attackers to compromise systems. Sophisticated APT groups are abusing similar implementations in the wild.
“While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems,” researchers from security firm Eclypsium said in a report.
Executable malware injection from firmware
The Eclypsium researchers came across the vulnerable implementation after their platform triggered detections in the wild for behavior that seemed consistent with a BIOS/UEFI rootkit. Such rootkits, also known as bootkits, are very dangerous and difficult to remove because they reside in the low-level system firmware and inject code inside the operating system every time it boots. This means that reinstalling the OS or even changing the hard disk drive would not remove the infection and it would reappear.
The UEFI firmware is a mini-OS in itself with different modules that handles the hardware initialization before passing the boot sequence to the bootloader and the installed operating system.
The process of injecting code from firmware into the OS memory has been used before for various feature implementations. For example, some BIOSes come with an anti-theft feature called Absolute LoJack, previously known as Computrace, that allows users to remotely track and wipe their computers if stolen. The way this is implemented is by having a BIOS agent inject an application into the OS even if it’s reinstalled.
Security researchers warned since 2014 that the LoJack Windows agent can be abused and made to connect to a rogue serve. Then in 2018 researchers found the technology being abused by APT28, aka Fancy Bear, a hacking division of the Russian military intelligence service.
The case is similar with Gigabyte’s firmware module, which injects a Windows executable into the WPBT ACPI table during system start from where it is automatically executed by the Windows Session Manager Subsystem (smss.exe) and writes a file in the Windows system32 folder called GigabyteUpdateService.exe. The goal in this case is for the BIOS to automatically deploy a Gigabyte system and driver update application when the BIOS feature called APP Center Download & Install is enabled.
Insecure connections to download server
The Gigabyte update application automatically searches for updates to download and execute by checking three URLs. One of them is a Gigabyte download server over HTTPS, another is the same server but the connection is using plain HTTP, and the third is a URL to a non-qualified domain called software-nas that can be a device on the local network.
Two of the three methods of downloading files are highly problematic. Unencrypted HTTP connections are vulnerable to man-in-the-middle attacks. An attacker sitting on the same network or in control of a router on the network can direct the system to a server under their control and the application would have no way of knowing it’s not talking with the real Gigabyte server.
The third URL is equally problematic and even easier to abuse as an attacker on the same network on a compromised system could deploy a web server and set the computer’s name to software-nas without even resorting to DNS spoofing or other techniques. Finally, even the HTTPS connection is vulnerable to man-in-the-middle because the update application doesn’t implement server certificate validation correctly, which means attackers could still spoof the server.
Another problem is that even if the Gigabyte tools and updates are digitally signed with a valid signature, the firmware does not perform any digital signature verification or validation over any executables, so attackers could easily abuse the feature.
“The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023),” the Eclypsium researchers said. “Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named ‘IntelUpdater.exe’.”
The researchers advise organizations with Gigabyte systems to disable the APP Center Download & Install feature in UEFI and to block the three URLs in firewalls. Organizations can also look for attempted connections to these URLs to detect which systems might be affected on their networks but should more generally look for connections that could originate from similar features from other manufacturers. Even if not deployed in firmware, applications pre-installed by PC manufacturers on computers can also open vulnerabilities. This was the case with a Lenovo application called Superfish that deployed an untrusted root certificate that could be abused by attackers.