Backdoor-like issue found in Gigabyte firmware.

Researchers at Eclypsium have discovered a firmware backdoor in motherboards sold by Taiwanese hardware manufacturer Gigabyte. The feature appears to be intended to automate firmware updates, but Eclypsium says it could be abused by threat actors via man-in-the-middle attacks. The researchers compare the vulnerability to other firmware backdoors such as LoJax, MosiacRegresser, MoonBounce, and Vector-EDK.

Potential exploitation with living-off-the-land techniques.

The researchers explain, “The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.”

A role for intent?

Jeff Williams, co-founder and CTO at Contrast Security, commented on the findings:

 “This quote is particularly interesting, ‘Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor.’ Almost all security work is focused on *inadvertent* vulnerabilities created innocently by developers. However, imagine you’re a malicious developer that wants to trojan your company’s software with a backdoor. A smart attacker won’t make an obvious backdoor, they’ll just introduce a common vulnerability that looks accidental. That way they maintain plausible deniability if the backdoor is detected. The only way to tell the difference between a vulnerability from a backdoor is to try to discern that developer’s intent – which is essentially impossible. In this case, we may never know.”