1. Forum
  2. Usenet
  3. ALT.COMP.OS.WINDOWS-10

  • Does your =?UTF-8?B?UEPigJlz?= motherboard have hidden vulnerability th

    From Johnny@21:1/5 to All on Sun Jun 11 14:18:37 2023
    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of motherboards
    (the main circuit board in a computer) made by a Taiwanese company
    called Gigabyte, and this backdoor makes the motherboards easily
    accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the computer
    starts up, meaning that each time you restart your computer, the
    firmware's code activates Gigabyte's app center. This app center then
    proceeds to download and run a file from the internet.

    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Johnny on Sun Jun 11 21:23:45 2023
    On 2023-06-11 21:18, Johnny wrote:

    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of motherboards
    (the main circuit board in a computer) made by a Taiwanese company
    called Gigabyte, and this backdoor makes the motherboards easily
    accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the computer
    starts up, meaning that each time you restart your computer, the
    firmware's code activates Gigabyte's app center. This app center then proceeds to download and run a file from the internet.

    I'd appreciate some technical language, instead of layman first grader
    speak.

    What you posted is impossible to decipher.


    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk


    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Johnny on Sun Jun 11 22:55:06 2023
    On 2023-06-11 21:59, Johnny wrote:
    On Sun, 11 Jun 2023 21:23:45 +0200
    "Carlos E.R." <robin_listas@es.invalid> wrote:

    On 2023-06-11 21:18, Johnny wrote:

    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of
    motherboards (the main circuit board in a computer) made by a
    Taiwanese company called Gigabyte, and this backdoor makes the
    motherboards easily accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the
    computer starts up, meaning that each time you restart your
    computer, the firmware's code activates Gigabyte's app center. This
    app center then proceeds to download and run a file from the
    internet.

    I'd appreciate some technical language, instead of layman first
    grader speak.

    What you posted is impossible to decipher.


    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk



    Have it translated to Spanish. Maybe that will help.

    Why would I? That's a dumb idea.

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Paul on Sun Jun 11 23:07:55 2023
    On 2023-06-11 22:03, Paul wrote:
    On 6/11/2023 3:23 PM, Carlos E.R. wrote:
    On 2023-06-11 21:18, Johnny wrote:

    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of motherboards
    (the main circuit board in a computer) made by a Taiwanese company
    called Gigabyte, and this backdoor makes the motherboards easily
    accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the computer
    starts up, meaning that each time you restart your computer, the
    firmware's code activates Gigabyte's app center. This app center then
    proceeds to download and run a file from the internet.

    I'd appreciate some technical language, instead of layman first grader
    speak.

    What you posted is impossible to decipher.


    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

    https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

       "Our follow-up analysis discovered that firmware in Gigabyte systems is
        dropping and executing a Windows native executable during the system
        startup process, and this executable then downloads and executes
        additional payloads insecurely. It uses the same techniques as other
        OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent)
        abused by threat actors and even firmware implants such as Sednit LoJax,
        MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code
        is present in hundreds of models of Gigabyte PCs. We are working with
        Gigabyte to address this insecure implementation of their app center capability."

    Here is an example of a Computrace dropper (attack from BIOS). Computrace would be popular in laptop design. Computrace got right to the point,
    mounted
    the file system and overwrote autochk.exe :-)

    https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf

    By flash-updating the BIOS, as long as the structures and code are
    removed, there will be no "new occurrences". But you would not know
    whether a persistent threat had been put onboard or not. It would depend
    on what the dropper did to gain a foothold.


    That's better, thanks.

    Having a windows executable in the firmware is interesting. Would Linux computers be at risk? Maybe they haven't even considering the issue at Eclypsium:

    2. Eclypsium has released a PowerShell script to Github
    that can assist in determining whether a system is impacted.

    So, a Linux machine can not be analyzed.



    Stage 2: Downloading and running further executables

    Plain HTTP (the first bullet above) should never be used for
    updating privileged code as it is easily compromised via
    Machine-in-the-middle (MITM) attacks. However, we noticed
    that even when using the HTTPS-enabled options, remote server
    certificate validation is not implemented correctly.
    Therefore, MITM is possible in that case also.

    They are really daft these people! How can they be this incompetent in
    the XXI?



    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to VanguardLH on Sun Jun 11 23:17:15 2023
    On 2023-06-11 23:02, VanguardLH wrote:
    Johnny <johnny@invalid.net> wrote:

    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of motherboards
    (the main circuit board in a computer) made by a Taiwanese company
    called Gigabyte, and this backdoor makes the motherboards easily
    accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the computer
    starts up, meaning that each time you restart your computer, the
    firmware's code activates Gigabyte's app center. This app center then
    proceeds to download and run a file from the internet.

    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

    A Windows executable file. That means the OS has to be available to
    support running a Win32 executable. Well, if Windows gets loaded by the
    BIOS then what's the point of later re-loading it after the POST screen?

    AFAIK it is loaded by UEFI before Windows loads. You can't stop it.

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to VanguardLH on Sun Jun 11 23:28:36 2023
    On 2023-06-11 23:15, VanguardLH wrote:
    "Carlos E.R." <robin_listas@es.invalid> wrote:

    Having a windows executable in the firmware is interesting. Would Linux
    computers be at risk?

    See my other reply (to Johnny). It's a Windows 8+ "feature": Windows Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
    an .exe into the WPBT ACPI table, and Windows (after booting) will run
    the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
    (well, along with UEFI). You would have to check if Linux after booting
    will load executables stored in the UEFI.

    It might.

    A machine sold with Linux installed by the manufacturer might include
    this feature. I have not heard of such a thing, but I think it is possible.

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Carlos E.R. on Mon Jun 12 11:45:11 2023
    Carlos E.R. wrote:


         2. Eclypsium has released a PowerShell script to Github
         that can assist in determining whether a system is impacted.

    So, a Linux machine can not be analyzed.

    powershell does run on Linux, but I doubt Eclypsiumm have written/tested
    their script in that manner.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Carlos E.R. on Mon Jun 12 11:43:01 2023
    Carlos E.R. wrote:

    I'd appreciate some technical language, instead of layman first grader
    speak.
    What you posted is impossible to decipher.

    <https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/>

    The bios extracts a .exe from itself at boot time, copies it o hard
    drive, when run, the exe downloads further updates from gigabyte
    website, but in an insecure way that could be compromised ...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam E@21:1/5 to VanguardLH on Mon Jun 12 12:59:31 2023
    On 6/11/23 16:15, VanguardLH wrote:
    "Carlos E.R." <robin_listas@es.invalid> wrote:

    Having a windows executable in the firmware is interesting. Would Linux
    computers be at risk?

    See my other reply (to Johnny). It's a Windows 8+ "feature": Windows Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
    an .exe into the WPBT ACPI table, and Windows (after booting) will run
    the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
    (well, along with UEFI). You would have to check if Linux after booting
    will load executables stored in the UEFI.

    IIRC, Linux doesn't do anything with .EXE files unless WINE is
    installed, and WINE has limitations. Maybe it won't run the malware.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeff Barnett@21:1/5 to Johnny on Mon Jun 12 15:05:02 2023
    On 6/11/2023 1:18 PM, Johnny wrote:

    Published June 11, 2023

    A cybersecurity company called Eclypsium has made a startling
    discovery. They found a hidden backdoor in the firmware of motherboards
    (the main circuit board in a computer) made by a Taiwanese company
    called Gigabyte, and this backdoor makes the motherboards easily
    accessible for hackers to break into.

    Gigabyte apparently integrated a Windows executable file into the
    firmware of its motherboards. This file is executed when the computer
    starts up, meaning that each time you restart your computer, the
    firmware's code activates Gigabyte's app center. This app center then proceeds to download and run a file from the internet.

    Continued:

    https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
    I once was helping look at the feasibility of moving a modeled and
    verified security kennel from older hardware to a more modern CPU such
    as a Pentium. For fun, I read the current (at that time) ACPI spec. It's
    the kind of reading that hurts the eyes and makes you want to run
    outside and forget computers. A few years later, I read through an
    updated spec. Ugh. Those specs were the basic definition of plug and
    play and power management for most existing computers today.

    There was a most interesting feature in those specs that is relevant to
    this thread: a conforming implementation must provide a script language
    (well defined within the specs) that could be used to write the code for
    some or most layers of drivers. The runtime for that language could and
    often was an interpreter though various amounts of compilation were
    envisioned - compile to something that looked like P-code or Java all
    the way up to native machine code. The kicker was how the code could be introduced to the system. There seemed to be two possibilities:

    1. The driver writer used it to package OS specific drives - the kind of
    things you get on a CD with your device or by download.

    2. The device "hands" the code to the OS during one of the enumeration
    passes.

    Option one was clearly in play. However, it seemed that so was Option
    two. Option two blow any sort of formal verification "reuse" out of the
    water. (Remember I was investigating moving a formally verified kennel
    and trying to maintain the certification.) I tried to get more
    information as to Option two but was not successful.

    Note that Option two is a way for a device to stuff code into an OS at a
    level where it can do anything it pleases! Could this be what was going
    on at Gigabyte? Where they just obeying the ACPI spec?

    If anyone has some more specific information about all of this, I'd love
    to hear it.
    --
    Jeff Barnett

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Jeff Barnett on Tue Jun 13 11:51:56 2023
    On 2023-06-12 23:05, Jeff Barnett wrote:
    On 6/11/2023 1:18 PM, Johnny wrote:

    ...

    Note that Option two is a way for a device to stuff code into an OS at a level where it can do anything it pleases! Could this be what was going
    on at Gigabyte? Where they just obeying the ACPI spec?

    UEFI spec.

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)