Tag Archives: Firmware

Gigabyte motherboards shipped with firmware backdoor!

Millions of Gigabyte motherboards and laptops shipped with a built-in backdoor in its UEFI firmware!

Here is what you need to know about this cybersecurity danger, and what you can do about it!

 

Gigabyte Motherboards Shipped With Firmware Backdoor!

On 31 May 2023, researchers at the cybersecurity firm Eclypsium revealed that 271 Gigabyte motherboard models have been compromised with UEFI firmware with a built-in backdoor!

Eclypsium’s heuristic detection methods recently began flagging suspicious backdoor-like behaviour in Gigabyte motherboards. When its researchers looked into it, they found that Gigabyte motherboard firmware was executing a Windows native executable during the system start up process. This executable then insecurely downloads and executes additional payloads.

From their analysis, the executable appears to be a legitimate Gigabyte module called WpbtDxe.efi:

  • it checks to see if the “APP Center Download & Install” feature is enabled
  • it downloads executable payloads from Gigabyte servers
  • it has a Gigabyte cryptographic signature

They also found that the downloaded payloads have Gigabyte cryptographic signatures too, which suggest that this firmware backdoor was implemented by Gigabyte itself.

However, Eclypsium researchers discovered that the Gigabyte implementation had a number of problems, which would make it easy for threat actors to abuse the firmware backdoor:

  • one of its payload download locations lacks SSL (using plain HTTP, instead of the more secure HTTPS), allowing for Machine-in-the-middle (MITM) attacks
  • remote server certificate validation was not implemented correctly even when the other two HTTPS download locations were used, which allows for MITM attacks
  • one of its payload download locations is a local network-attacked storage device (NAS), which could allow a threat actor to spoof the location of the NAS to install their own malware
  • the Gigabyte firmware itself does not verify any cryptographic signatures, or validates the downloaded executables.

In short – millions of Gigabyte motherboards have a cybersecurity vulnerability, due to their firmware which includes an insecure / vulnerable OEM backdoor. As John Loucaides from Eclypsium put it:

If you have one of these machines, you have to worry about the fact that it’s basically grabbing something from the Internet and running it without you being involved, and hasn’t done any of this securely.

The concept of going underneath the end user and taking over their machine doesn’t sit well with most people.

Note : This vulnerability affects all computers using Gigabyte motherboards, including laptops.

 

Gigabyte Rolls Out New Firmware To Mitigate Backdoor!

After the news blew up inconveniently during Computex 2023, Gigabyte quickly rolled out new beta firmware upgrades for its AMD and Intel motherboards.

According to Gigabyte, the new beta firmware upgrades have “improved security mechanisms” that will “detect and prevent malicious activities during the boot process“. It also appeared to have implemented other changes:

  • enhanced the signature verification process for fils downloaded from its remote servers
  • conduct more thorough checks of file integrity to prevent the introduction of malicious code
  • enabled standard cryptographic verification of remote server certificates

The new firmware has just been released for AMD 600-series motherboards, as well as Intel 500- and 400-series motherboards, but will eventually be introduced for older motherboards. The new firmware will have the description, “Addresses Download Assistant Vulnerabilities Reported by Eclypsium Research“.

As Gigabyte does not intend to remove the backdoor feature, you might want to consider Eclypsium’s advice on how best to reduce the risk of malicious actors taking advantage:

  1. Scan and monitor systems and firmware updates in order to detect affected Gigabyte systems and the backdoor-like tools embedded in firmware. Update systems to the latest validated firmware and software in order to address security issues like this one.
  2. Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
  3. Administrators can also block the following URLs:
    – http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    – https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
    – https://software-nas/Swhttp/LiveUpdate4

For starters, you should definitely download and update your Gigabyte motherboard or laptop with the improved firmware. Then disable APP Center Download & Install in the BIOS.

Let’s hope Gigabyte will be able to quickly issue new and improved firmware to mitigate, if not remove, the backdoor vulnerability for the affected 271 motherboard models, and its future motherboards and laptops. Even so, many users might not be aware of this vulnerability or these updates.

It seems likely that threat actors will have access to this backdoor vulnerability in many Gigabyte motherboards and laptops for years to come. Even Eclypsium’s Loucaides believes so:

I still think this will end up being a fairly pervasive problem on Gigabyte boards for years to come.

 

Please Support My Work!

Support my work through a bank transfer /  PayPal / credit card!

Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp

Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.

He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.

 

Recommended Reading

Go Back To > Computer | Cybersecurity | Tech ARP

 

Support Tech ARP!

Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!

MSI Users At Risk Of Rogue BIOS / Firmware Updates!

MSI users are at risk of rogue BIOS / firmware updates, after hackers got hold of its source codes, private keys and BIOS firmware!

 

MSI Hit By Ransomware Attack + Data Theft!

On 7 April 2023, MSI (Micro-Star International) was hit by a ransomware attack, in which the hackers allegedly exfiltrated 1.5 terabytes of source codes, BIOS firmware, private keys and other data from its servers.

In its terse regulatory filing with the Taiwan Stock Exchange (TWSE), MSI admitted that it was hacked, but did not detail the circumstances or nature of the attack.

After detecting some information systems being attacked by hackers,MSI’s IT department has initiated information security defense mechanism and recovery procedures. The Company also has been reported the anomaly to the relevant government authorities.

MSI claimed that the attack had “[no] significant impact our business in terms of financial and operational currently“, but said that it was “enhancing the information security control measures of its network and infrastructure to ensure data security.

In a public statement, MSI also urged users to only obtain firmware / BIOS updates from its official website, and refrain from using other sources.

Read more : MSI Hit By $4 Million Ransomware Attack + Data Theft!

 

Stolen Data Exposes MSI Users To Rogue BIOS / Firmware Updates!

The MSI ransomware attack and data theft appear to be committed by the Money Message ransomware gang, which has threatened to release the 1.5 terabytes of critical data that it exfiltrated from MSI servers.

While MSI has apparently restored files encrypted by the ransomware, exposure of the private keys and source codes, will likely allow Money Message or other threat actors to develop rogue BIOS or firmware updates.

Installing rogue BIOS / firmware updates will give the malware the access level of a super-low-level rootkit, giving it full control over your computer, with the ability to spy on almost everything you do. Such malware will also be extremely difficult to detect and remove. After all, it boots up before the operating system!

These days, rogue BIOS or firmware updates are much less of a problem because they are usually digitally-signed by the vendor, MSI in this case. Even if threat actors distribute Trojanised downloads for MSI users, they cannot create the right digital signatures for those files.

However, now that MSI’s private keys have been stolen, they can be used to create rogue BIOS or firmware updates with authentic digital signatures! MSI users downloading and installing those updates will never know the difference.

Recommended : Can Approve New Participant block WhatsApp hackers?!

The biggest risk right now is with PC hardware enthusiasts who enjoy installing unofficial firmware updates to gain access to special settings. That is precisely why MSI is urging its users to only download files from its official website.

Of course, this assumes that the MSI download servers are secure, and have not been compromised. If the threat actors have access to the MSI download servers, they can insert Trojanised downloads with proper signatures, and MSI system administrators may be none the wiser!

Let’s hope that this incident forces MSI to take a much closer look at its cybersecurity measures, and run penetration tests to ensure that its download servers are secure. Otherwise, some threat actors will likely hit pay dirt with MSI users!

 

Please Support My Work!

Support my work through a bank transfer /  PayPal / credit card!

Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp

Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.

He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.

 

Recommended Reading

Go Back To > Business | ComputerTech ARP

 

Support Tech ARP!

Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!

MSI Hit By $4 Million Ransomware Attack + Data Theft!

MSI just got hit by a massive ransomware attack, but even worse – it lost a ton of critical data to the hackers!

 

MSI Hit By Ransomware Attack + Data Theft!

On 7 April 2023, MSI (Micro-Star International) was hit by a ransomware attack, in which the hackers allegedly exfiltrated 1.5 terabytes of source codes, BIOS firmware, private keys and other data from its servers.

In its terse regulatory filing with the Taiwan Stock Exchange (TWSE), MSI admitted that it was hacked, but did not detail the circumstances or nature of the attack.

After detecting some information systems being attacked by hackers,MSI’s IT department has initiated information security defense mechanism and recovery procedures. The Company also has been reported the anomaly to the relevant government authorities.

MSI claimed that the attack had “[no] significant impact our business in terms of financial and operational currently“, but said that it was “enhancing the information security control measures of its network and infrastructure to ensure data security.

In a public statement, MSI also urged users to only obtain firmware / BIOS updates from its official website, and refrain from using other sources.

Read more : MSI Users At Risk Of Rogue BIOS / Firmware Updates!

 

Hackers Demand $4 Million From MSI To Not Release Stolen Data

The MSI ransomware attack and data theft appear to be committed by the Money Message ransomware gang.

While MSI has apparently restored files encrypted by Money Message’s ransomware, the gang now has access to about 1.5 terabytes of critical MSI data.

According to BleepingComputer, chats between Money Message and an MSI representative show the gang demanding a ransom payment of $4 million. Otherwise, Money Message will release the stolen files.

To show that they did indeed steal those MSI files, Money Message posted screenshots of what they describe was MSI’s Enterprise Resource Planning (ERP) databases and files containing software source code, private keys, and BIOS firmware.

Recommended : Can Approve New Participant block WhatsApp hackers?!

If Money Message releases MSI confidential data, it may not just be embarrassing for the Taiwanese company, it could allow other threat actors to use the source code and private keys to create malware targeting their customers.

In light of that, MSI users should only download and install software or BIOS firmware from the official MSI website.

 

Please Support My Work!

Support my work through a bank transfer /  PayPal / credit card!

Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp

Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.

He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.

 

Recommended Reading

Go Back To > Business | SoftwareTech ARP

 

Support Tech ARP!

Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!