Potential Backdoor in Gigabyte PCs Exposes Supply Chain Risks

Written by

Cybersecurity firm Eclypsium has uncovered a potential backdoor in Gigabyte systems, raising concerns about the security of the technology supply chain.

Writing in a blog post on Wednesday, the company explained it used its automated heuristics to detect suspicious behavior within Gigabyte systems.

Further analysis revealed that firmware in these systems was dropping and executing a Windows native executable during the system startup process. The executable then proceeded to download and run additional payloads insecurely. 

Eclypsium explained that the backdoor mechanism shares similarities with other OEM backdoor-like features and firmware implants previously abused by threat actors.

Read more on similar malware tools: New Backdoor MQsTTang Attributed to Mustang Panda Group

Potential risks associated with this backdoor expose organizations to threats such as supply chain and local environment compromise, as well as malware persistence via the functionality of this firmware in systems.

The vulnerable code was reportedly found in hundreds of models of Gigabyte PCs, posing a significant supply chain risk. While no specific exploitation by threat actors has been confirmed, the security experts said the existence of a widespread backdoor that is difficult to remove raises severe concerns for firms relying on Gigabyte systems.

“Almost all security work is focused on inadvertent vulnerabilities created innocently by developers,” commented Jeff Williams, co-founder and CTO at Contrast Security.

“However, imagine you’re a malicious developer that wants to trojan your company’s software with a backdoor.”

According to the executive, an intelligent attacker will not rely on an obvious backdoor. Instead, they will introduce a common vulnerability that looks accidental.  

“That way, they maintain plausible deniability if the backdoor is detected. The only way to tell the difference between a vulnerability from a backdoor is to try to discern that developer’s intent – which is essentially impossible. In this case, we may never know,” Williams added.

To address this issue, Eclypsium confirmed it is currently working closely with Gigabyte to rectify the insecure implementation of its app center capability.

The advisory comes weeks after Symantec’s Threat Hunter Team shared findings on a new backdoor used in attacks targeting organizations in South and Southeast Asia.

Editorial image credit: RSplaneta / Shutterstock.com

What’s hot on Infosecurity Magazine?