Attackers can abuse the UEFI firmware to inject executable malware code into the Windows kernel, compromising systems. Credit: Justin Researchers warn that the UEFI firmware in many motherboards made by PC hardware manufacturer Gigabyte injects executable code inside the Windows kernel in an unsafe way that can be abused by attackers to compromise systems. Sophisticated APT groups are abusing similar implementations in the wild.“While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems,” researchers from security firm Eclypsium said in a report.Executable malware injection from firmwareThe Eclypsium researchers came across the vulnerable implementation after their platform triggered detections in the wild for behavior that seemed consistent with a BIOS/UEFI rootkit. Such rootkits, also known as bootkits, are very dangerous and difficult to remove because they reside in the low-level system firmware and inject code inside the operating system every time it boots. This means that reinstalling the OS or even changing the hard disk drive would not remove the infection and it would reappear. The UEFI firmware is a mini-OS in itself with different modules that handles the hardware initialization before passing the boot sequence to the bootloader and the installed operating system. The process of injecting code from firmware into the OS memory has been used before for various feature implementations. For example, some BIOSes come with an anti-theft feature called Absolute LoJack, previously known as Computrace, that allows users to remotely track and wipe their computers if stolen. The way this is implemented is by having a BIOS agent inject an application into the OS even if it’s reinstalled.Security researchers warned since 2014 that the LoJack Windows agent can be abused and made to connect to a rogue serve. Then in 2018 researchers found the technology being abused by APT28, aka Fancy Bear, a hacking division of the Russian military intelligence service. The case is similar with Gigabyte’s firmware module, which injects a Windows executable into the WPBT ACPI table during system start from where it is automatically executed by the Windows Session Manager Subsystem (smss.exe) and writes a file in the Windows system32 folder called GigabyteUpdateService.exe. The goal in this case is for the BIOS to automatically deploy a Gigabyte system and driver update application when the BIOS feature called APP Center Download & Install is enabled.Insecure connections to download serverThe Gigabyte update application automatically searches for updates to download and execute by checking three URLs. One of them is a Gigabyte download server over HTTPS, another is the same server but the connection is using plain HTTP, and the third is a URL to a non-qualified domain called software-nas that can be a device on the local network.Two of the three methods of downloading files are highly problematic. Unencrypted HTTP connections are vulnerable to man-in-the-middle attacks. An attacker sitting on the same network or in control of a router on the network can direct the system to a server under their control and the application would have no way of knowing it’s not talking with the real Gigabyte server.The third URL is equally problematic and even easier to abuse as an attacker on the same network on a compromised system could deploy a web server and set the computer’s name to software-nas without even resorting to DNS spoofing or other techniques. Finally, even the HTTPS connection is vulnerable to man-in-the-middle because the update application doesn’t implement server certificate validation correctly, which means attackers could still spoof the server.Another problem is that even if the Gigabyte tools and updates are digitally signed with a valid signature, the firmware does not perform any digital signature verification or validation over any executables, so attackers could easily abuse the feature.“The rate of discovery of new UEFI rootkits has accelerated sharply in recent years as seen by the discovery of LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023),” the Eclypsium researchers said. “Most of these were used to enable persistence of other, OS-based malware. This Gigabyte firmware images and the persistently dropped Windows executable enable the same attack scenario. Often, the above implants made their native Windows executables look like legitimate update tools. In the case of MosaicRegressor, the Windows payload was named ‘IntelUpdater.exe’.” The researchers advise organizations with Gigabyte systems to disable the APP Center Download & Install feature in UEFI and to block the three URLs in firewalls. Organizations can also look for attempted connections to these URLs to detect which systems might be affected on their networks but should more generally look for connections that could originate from similar features from other manufacturers. Even if not deployed in firmware, applications pre-installed by PC manufacturers on computers can also open vulnerabilities. This was the case with a Lenovo application called Superfish that deployed an untrusted root certificate that could be abused by attackers. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe