Hundreds of Gigabyte PCs have been found to be affected by a backdoor, posing supply chain risks, according to researchers for the supply chain security vendor Eclypsium. Identified by the firm’s platform, the researchers discovered “suspected backdoor-like behaviour” in systems manufactured by the PC hardware vendor. The backdoor appears to be an intentional “insecure implementation” of the Gigabyte App Center, which is used to download applications for Gigabyte motherboards. The firm’s analysis found the firmware in Gigabyte systems was dropping and executing a Windows native executable during the system start-up process, which was then downloading and executing additional payloads from Gigabyte servers. Gigabyte has yet to respond to the development at this time.
Eclypsium noted that the implementation is concerning due to the previous exploitation of legitimate “OEM backdoors” by threat actors to conduct campaigns. The supply chain security vendor cited the example of Russian advanced persistent threat group Fancy Bear’s exploitation of Computrace LoJack using a similar flaw. Researchers said they were worried about the backdoor’s potential for use in supply chain attacks, despite the vendor not yet seeing any threat actors exploiting the backdoor. The Eclypsium report also noted that malicious actors could abuse the Gigabyte App Center flaw to commit man-in-the-middle attacks or DNS poisoning to compromise targeted systems.
Additionally, the firmware fails to implement cryptographic digital signature verification or any other secure validation methods, posing further potential cybersecurity risks. While the dropped executable and Gigabyte tools have a Gigabyte cryptographic signature satisfying Microsoft Windows code signing requirements, this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques. As a result, any threat actor can use this to persistently infect vulnerable systems either via Man-in-the-Middle (MITM) or compromised infrastructure.
The supply chain risk is particularly noteworthy due to the increasing tendency of threat actors to employ “living-off-the-land” techniques, whereby legitimate management tools and command-line functions are abused rather than deploying malware. John Loucaides, Senior Vice President of Strategy at Eclypsium, highlighted concern over whether a patch would fully fix the issue, saying the uptake of users installing firmware updates has been “abysmal.” Even in the best-case scenarios, Loucaides does not expect that most devices will get firmware updates to fix it permanently. Thus this backdoor continues to pose a threat for years to come, even with a patch in place.
The Eclypsium researchers stated that they are working with Gigabyte to address and mitigate the insecure implementation of the App Center capability. The researchers’ discovery of the Gigabyte App Center backdoor highlights the ongoing cybersecurity challenge posed by supply chain risks. Far-reaching supply chains can be vulnerable to deliberate or accidental vulnerabilities introduced by third-party suppliers, which in turn can cause a range of potential harms, as noted by the SolarWinds attack in late 2020. As a result, organisations must ensure controls are in place to identify, assess and mitigate risks across their entire supply chain.