It is unclear whether it is a case of poor engineering or an attacker gaining deep access to the company, but Gigabyte motherboards have an exploitable boot process component that could be leveraged by an attacker to inject malware upon system startup. The firmware backdoor is an unprotected update component for Windows that is dropped during the boot process, accessible locally via plaintext if an attacker has access to the network.
The attack impacts most of the Gigabyte motherboards that are currently on the market, with at least 271 models listed by security researchers with Eclypsium Labs. The firmware backdoor is only exploitable on systems running Windows, but is present with both Intel and AMD processors.
Firmware backdoor remains a mystery, but no evidence pointing to threat actors yet
Gigabyte suffered two ransomware attacks in 2021, and has had several CVE vulnerabilities uncovered within the last several years. However, as of yet there is no evidence that the firmware backdoor is tied to any of this or that it was actively exploited by threat actors prior to the public disclosure.
It is entirely possible that an engineer simply implemented a shoddy process for checking on BIOS updates during boot-up; the technique resembles some used by malware injectors, but is documented as a feature on the Gigabyte website and appears to have a legitimate function. Nevertheless, it needs to be patched out or remediated due to the serious vulnerability it creates.
Gigabyte motherboards are hardly alone in seeing BIOS vulnerabilities develop in recent years, and this is nearly always some sort of oversight in the production process. As of the beginning of June the company has begun rolling out update patches for various models. The new version of the BIOS adds a verification check for any files that are downloaded from remote servers during the potentially exploitable boot process, and also adds cryptographic verification to its remote server certificate verification.
Risk to Gigabyte motherboards limited to local network attacks
The good news about this incident is that it is limited in scope, as the attacker must already have access to the local system or network to pull it off. Still, those that already have such access will likely be hunting for Gigabyte motherboards in their attempts to move laterally and escalate privileges.
Gigabyte generally sells these motherboards directly to consumers that are assembling their own PCs, particularly in the gaming market. However, it is possible that these boards may be in certain prefab computers from Dell, Alienware and other manufacturers.
For the Gigabyte motherboard models that are not yet patched or do not have a patch forthcoming, there are some mitigation measures. There are three URLs that attackers can use to exploit the firmware backdoor (the most problematic one being in plaintext HTTP) that administrators can simply block, and a further layer of security can be added by disabling the “APP Center Download & Install” feature in the BIOS setup menu. However, this may also mean that the BIOS will no longer receive official updates. Eclypsium Labs has documented these measures in their report.