Researchers from Eclypsium have discovered anomalous behavior on systems with motherboards from the Taiwanese company Gigabyte Technology. The UEFI firmware used in these motherboards, without informing the user during system boot, performed substitution and execution of an executable file for the Windows platform. Subsequently, the executed file would download and launch third-party executable files from the network. Further investigation revealed that identical behavior is present in hundreds of different models of Gigabyte motherboards and is related to the functioning of the company's supplied application, App Center.
The executed file was embedded in the UEFI firmware and saved to the disk during the initialization process at boot time. During the driver execution stage (DXE, Driver Execution Environment), using the firmware module WpbtDxe.efi, this file was loaded into memory and added to the WPBT ACPI table. The contents of this table are later loaded and executed by the Windows Session Manager Subsystem (smss.exe). Before loading, the module checked whether the "APP Center Download & Install" function in the BIOS/UEFI was enabled (disabled by default). During execution within Windows, the code injected the executable file "%SystemRoot%\system32\GigabyteUpdateService.exe" into the system, which was registered as a system service.
After launching, the GigabyteUpdateService.exe service would download updates from Gigabyte servers. However, this process was carried out without proper verification of the downloaded data using digital signatures and without using encryption for the communication channel. The following addresses were used for downloading: "http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4," "https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4," and "https://software-nas/Swhttp/LiveUpdate4." Downloads were allowed over unencrypted HTTP, and even when accessed over HTTPS, certificate verification was not performed. This allowed for file substitution through MITM attacks and the execution of unauthorized code on the user's system.
The situation is further complicated by the fact that resolving the issue requires a firmware update, as the logic for executing the third-party code is integrated into the firmware. As a temporary protective measure against MITM attacks on Gigabyte motherboard users, it is recommended to block the aforementioned URLs on the network firewall. Gigabyte has been notified about the unacceptable presence of such insecure auto-updatable and forcibly integrated services in their firmware, as compromise of the company's infrastructure or a supply chain participant could lead to attacks on motherboard users and the execution of malicious software beyond the control of the operating system. For example, in August and October 2021, two breaches of Gigabyte's infrastructure were detected, resulting in the leakage of confidential documentation and data.