Cybersecurity research firm Eclysium said it discovered backdoor-like behavior in Gigabyte's firmware that puts at risk hundreds of motherboard models made by Taiwanese tech giant.
The anomaly was first detected in April 2023. A follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely.
The Windows executable is embedded into UEFI firmware and written to disk by firmware as part of the system boot process.
“During the Driver Execution Environment (DXE) phase of the UEFI firmware boot process, the “WpbtDxe.efi” firmware module uses the above GUID to load the embedded Windows executable file into memory, installing it into a WPBT ACPI table which will later be loaded and executed by the Windows Session Manager Subsystem (smss.exe) upon Windows startup. The “WpbtDxe.efi” module checks if the “APP Center Download & Install” feature has been enabled in the BIOS/UEFI Setup before installing the executable into the WPBT ACPI table. Although this setting appears to be disabled by default, it was enabled on the system we examined,” the company explains.
Eclysium notes that firmware downloads occasionally happen over HTTP instead of HTTPS, and hackers could take advantage of insecure connection between the user’s system and Gigabyte servers to carry out a Man-in-the-Middle (MitM) attack. However, currently, there's no evidence that the backdoor was used for malicious purposes.
The company said it is working with Gigabyte to address the problem, which will likely require a firmware update. Meanwhile, Gigabyte motherboard owners can take some measures to protect their systems, such as disabling the “APP Center Download & Install” feature inside the motherboard's firmware, and scanning systems and firmware updates for the backdoor-like tools embedded in firmware.
The full list of affected Gigabyte motherboard models is available here.
