Published June 11, 2023
A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.
Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then proceeds to download and run a file from the internet.
Continued:
https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
On Sun, 11 Jun 2023 21:23:45 +0200
"Carlos E.R." <robin_listas@es.invalid> wrote:
On 2023-06-11 21:18, Johnny wrote:
Published June 11, 2023
A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of
motherboards (the main circuit board in a computer) made by a
Taiwanese company called Gigabyte, and this backdoor makes the
motherboards easily accessible for hackers to break into.
Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the
computer starts up, meaning that each time you restart your
computer, the firmware's code activates Gigabyte's app center. This
app center then proceeds to download and run a file from the
internet.
I'd appreciate some technical language, instead of layman first
grader speak.
What you posted is impossible to decipher.
Continued:
https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
Have it translated to Spanish. Maybe that will help.
On 6/11/2023 3:23 PM, Carlos E.R. wrote:
On 2023-06-11 21:18, Johnny wrote:
Published June 11, 2023
A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.
Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then
proceeds to download and run a file from the internet.
I'd appreciate some technical language, instead of layman first grader
speak.
What you posted is impossible to decipher.
Continued:
https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
"Our follow-up analysis discovered that firmware in Gigabyte systems is
dropping and executing a Windows native executable during the system
startup process, and this executable then downloads and executes
additional payloads insecurely. It uses the same techniques as other
OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent)
abused by threat actors and even firmware implants such as Sednit LoJax,
MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code
is present in hundreds of models of Gigabyte PCs. We are working with
Gigabyte to address this insecure implementation of their app center capability."
Here is an example of a Computrace dropper (attack from BIOS). Computrace would be popular in laptop design. Computrace got right to the point,
mounted
the file system and overwrote autochk.exe :-)
https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf
By flash-updating the BIOS, as long as the structures and code are
removed, there will be no "new occurrences". But you would not know
whether a persistent threat had been put onboard or not. It would depend
on what the dropper did to gain a foothold.
Johnny <johnny@invalid.net> wrote:
Published June 11, 2023
A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.
Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then
proceeds to download and run a file from the internet.
Continued:
https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
A Windows executable file. That means the OS has to be available to
support running a Win32 executable. Well, if Windows gets loaded by the
BIOS then what's the point of later re-loading it after the POST screen?
"Carlos E.R." <robin_listas@es.invalid> wrote:
Having a windows executable in the firmware is interesting. Would Linux
computers be at risk?
See my other reply (to Johnny). It's a Windows 8+ "feature": Windows Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
an .exe into the WPBT ACPI table, and Windows (after booting) will run
the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
(well, along with UEFI). You would have to check if Linux after booting
will load executables stored in the UEFI.
2. Eclypsium has released a PowerShell script to Github
that can assist in determining whether a system is impacted.
So, a Linux machine can not be analyzed.
I'd appreciate some technical language, instead of layman first grader
speak.
What you posted is impossible to decipher.
"Carlos E.R." <robin_listas@es.invalid> wrote:
Having a windows executable in the firmware is interesting. Would Linux
computers be at risk?
See my other reply (to Johnny). It's a Windows 8+ "feature": Windows Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
an .exe into the WPBT ACPI table, and Windows (after booting) will run
the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
(well, along with UEFI). You would have to check if Linux after booting
will load executables stored in the UEFI.
Published June 11, 2023I once was helping look at the feasibility of moving a modeled and
A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.
Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then proceeds to download and run a file from the internet.
Continued:
https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
On 6/11/2023 1:18 PM, Johnny wrote:
Note that Option two is a way for a device to stuff code into an OS at a level where it can do anything it pleases! Could this be what was going
on at Gigabyte? Where they just obeying the ACPI spec?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:25:30 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,116 |