Attackers can abuse the UEFI firmware to inject executable malware code into the Windows kernel, compromising systems. Credit: Justin Researchers warn that the UEFI firmware in many motherboards made by PC hardware manufacturer Gigabyte injects executable code inside the Windows kernel in an unsafe way that can be abused by attackers to compromise systems. Sophisticated APT groups are abusing similar implementations in the wild.“While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems,” researchers from security firm Eclypsium said in a report.Executable malware injection from firmwareThe Eclypsium researchers came across the vulnerable implementation after their platform triggered detections in the wild for behavior that seemed consistent with a BIOS/UEFI rootkit. Such rootkits, also known as bootkits, are very dangerous and difficult to remove because they reside in the low-level system firmware and inject code inside the operating system every time it boots. This means that reinstalling the OS or even changing the hard disk drive would not remove the infection and it would reappear.The UEFI firmware is a mini-OS in itself with different modules that handles the hardware initialization before passing the boot sequence to the bootloader and the installed operating system. The process of injecting code from firmware into the OS memory has been used before for various feature implementations. For example, some BIOSes come with an anti-theft feature called Absolute LoJack, previously known as Computrace, that allows users to remotely track and wipe their computers if stolen. The way this is implemented is by having a BIOS agent inject an application into the OS even if it’s reinstalled.Security researchers warned since 2014 that the LoJack Windows agent can be abused and made to connect to a rogue serve. Then in 2018 researchers found the technology being abused by APT28, aka Fancy Bear, a hacking division of the Russian military intelligence service. The case is similar with Gigabyte’s firmware module, which injects a Windows executable into the WPBT ACPI table during system start from where it is automatically executed by the Windows Session Manager Subsystem (smss.exe) and writes a file in the Windows system32 folder called GigabyteUpdateService.exe. The goal in this case is for the BIOS to automatically deploy a Gigabyte system and driver update application when the BIOS feature called APP Center Download & Install is enabled.Insecure connections to download serverThe Gigabyte update application automatically searches for updates to download and execute by checking three URLs. One of them is a Gigabyte download server over HTTPS, another is the same server but the connection is using plain HTTP, and the third is a URL to a non-qualified domain called software-nas that can be a device on the local network.Two of the three methods of downloading files are highly problematic. Unencrypted HTTP connections are vulnerable to man-in-the-middle attacks. An attacker sitting on the same network or in control of a router on the network can direct the system to a server under their control and the application would have no way of knowing it’s not talking with the real Gigabyte server.The third URL is equally problematic and even easier to abuse as an attacker on the same network on a compromised system could deploy a web server and set the computer’s name to software-nas without even resorting to DNS spoofing or other techniques. Finally, even the HTTPS connection is vulnerable to man-in-the-middle because the update application doesn’t implement server certificate validation correctly, which means attackers could still spoof the server.Another problem is that even if the Gigabyte tools and updates are digitally signed with a valid signature, the firmware does not perform any digital signature verification or validation over any executables, so attackers could easily abuse the feature.“The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023),” the Eclypsium researchers said. “Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named ‘IntelUpdater.exe’.” The researchers advise organizations with Gigabyte systems to disable the APP Center Download & Install feature in UEFI and to block the three URLs in firewalls. Organizations can also look for attempted connections to these URLs to detect which systems might be affected on their networks but should more generally look for connections that could originate from similar features from other manufacturers. Even if not deployed in firmware, applications pre-installed by PC manufacturers on computers can also open vulnerabilities. This was the case with a Lenovo application called Superfish that deployed an untrusted root certificate that could be abused by attackers. Related content news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Security feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe