Published June 11, 2023

A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.

Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then
proceeds to download and run a file from the internet.

Continued:

https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

On 2023-06-11 21:18, Johnny wrote:
>
> Published June 11, 2023
>
> A cybersecurity company called Eclypsium has made a startling
> discovery. They found a hidden backdoor in the firmware of motherboards
> (the main circuit board in a computer) made by a Taiwanese company
> called Gigabyte, and this backdoor makes the motherboards easily
> accessible for hackers to break into.
>
> Gigabyte apparently integrated a Windows executable file into the
> firmware of its motherboards. This file is executed when the computer
> starts up, meaning that each time you restart your computer, the
> firmware's code activates Gigabyte's app center. This app center then
> proceeds to download and run a file from the internet.

I'd appreciate some technical language, instead of layman first grader
speak.

What you posted is impossible to decipher.

>
> Continued:
>
> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
>

--
Cheers, Carlos.

On Sun, 11 Jun 2023 21:23:45 +0200
"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2023-06-11 21:18, Johnny wrote:
> >
> > Published June 11, 2023
> >
> > A cybersecurity company called Eclypsium has made a startling
> > discovery. They found a hidden backdoor in the firmware of
> > motherboards (the main circuit board in a computer) made by a
> > Taiwanese company called Gigabyte, and this backdoor makes the
> > motherboards easily accessible for hackers to break into.
> >
> > Gigabyte apparently integrated a Windows executable file into the
> > firmware of its motherboards. This file is executed when the
> > computer starts up, meaning that each time you restart your
> > computer, the firmware's code activates Gigabyte's app center. This
> > app center then proceeds to download and run a file from the
> > internet.
>
> I'd appreciate some technical language, instead of layman first
> grader speak.
>
> What you posted is impossible to decipher.
>
> >
> > Continued:
> >
> > https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
> >
>

Have it translated to Spanish. Maybe that will help.

On 6/11/2023 3:23 PM, Carlos E.R. wrote:
> On 2023-06-11 21:18, Johnny wrote:
>>
>> Published June 11, 2023
>>
>> A cybersecurity company called Eclypsium has made a startling
>> discovery. They found a hidden backdoor in the firmware of motherboards
>> (the main circuit board in a computer) made by a Taiwanese company
>> called Gigabyte, and this backdoor makes the motherboards easily
>> accessible for hackers to break into.
>>
>> Gigabyte apparently integrated a Windows executable file into the
>> firmware of its motherboards. This file is executed when the computer
>> starts up, meaning that each time you restart your computer, the
>> firmware's code activates Gigabyte's app center. This app center then
>> proceeds to download and run a file from the internet.
>
> I'd appreciate some technical language, instead of layman first grader speak.
>
> What you posted is impossible to decipher.
>
>>
>> Continued:
>>
>> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

"Our follow-up analysis discovered that firmware in Gigabyte systems is
dropping and executing a Windows native executable during the system
startup process, and this executable then downloads and executes
additional payloads insecurely. It uses the same techniques as other
OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent)
abused by threat actors and even firmware implants such as Sednit LoJax,
MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code
is present in hundreds of models of Gigabyte PCs. We are working with
Gigabyte to address this insecure implementation of their app center capability."

Here is an example of a Computrace dropper (attack from BIOS). Computrace
would be popular in laptop design. Computrace got right to the point, mounted
the file system and overwrote autochk.exe :-)

https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf

By flash-updating the BIOS, as long as the structures and code are
removed, there will be no "new occurrences". But you would not know
whether a persistent threat had been put onboard or not. It would depend
on what the dropper did to gain a foothold.

Paul

On 2023-06-11 21:59, Johnny wrote:
> On Sun, 11 Jun 2023 21:23:45 +0200
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> On 2023-06-11 21:18, Johnny wrote:
>>>
>>> Published June 11, 2023
>>>
>>> A cybersecurity company called Eclypsium has made a startling
>>> discovery. They found a hidden backdoor in the firmware of
>>> motherboards (the main circuit board in a computer) made by a
>>> Taiwanese company called Gigabyte, and this backdoor makes the
>>> motherboards easily accessible for hackers to break into.
>>>
>>> Gigabyte apparently integrated a Windows executable file into the
>>> firmware of its motherboards. This file is executed when the
>>> computer starts up, meaning that each time you restart your
>>> computer, the firmware's code activates Gigabyte's app center. This
>>> app center then proceeds to download and run a file from the
>>> internet.
>>
>> I'd appreciate some technical language, instead of layman first
>> grader speak.
>>
>> What you posted is impossible to decipher.
>>
>>>
>>> Continued:
>>>
>>> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
>>>
>>
>
> Have it translated to Spanish. Maybe that will help.

Why would I? That's a dumb idea.

--
Cheers, Carlos.

On Sun, 11 Jun 2023 14:59:54 -0500, Johnny wrote:
>
> On Sun, 11 Jun 2023 21:23:45 +0200
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
> > I'd appreciate some technical language, instead of layman first
> > grader speak.
> >
> > What you posted is impossible to decipher.

> Have it translated to Spanish. Maybe that will help.

Racism? Really?

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Johnny <johnny@invalid.net> wrote:

> Published June 11, 2023
>
> A cybersecurity company called Eclypsium has made a startling
> discovery. They found a hidden backdoor in the firmware of motherboards
> (the main circuit board in a computer) made by a Taiwanese company
> called Gigabyte, and this backdoor makes the motherboards easily
> accessible for hackers to break into.
>
> Gigabyte apparently integrated a Windows executable file into the
> firmware of its motherboards. This file is executed when the computer
> starts up, meaning that each time you restart your computer, the
> firmware's code activates Gigabyte's app center. This app center then
> proceeds to download and run a file from the internet.
>
> Continued:
>
> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

A Windows executable file. That means the OS has to be available to
support running a Win32 executable. Well, if Windows gets loaded by the
BIOS then what's the point of later re-loading it after the POST screen?
More likely its an ASM executable (machine code). Also, this program is
used to update the firmware (BIOS/UEFI) of the mobo. Why would you let
anyone change the brains of your computer? That is major surgery.
*YOU* decide when you have prepared for a firmware update before doing
it. Maybe it's safe in presenting a prompt/GUI asking for your
permission to perform the firmware update, but that would be a nuisance
on a perfectly functioning computer in nagging you to update when likely
the new firmware version will give you nothing. *YOU* are supposed to
investigate what a new firmware version gives you before applying it.
If your BIOS has a firmware-based option to auto-update the firmware,
*TURN IT OFF*.

Many mobos give you software (that runs under an OS, not machine code to
run raw) to check for firmware and ancilliary software updates, but you
have to run them. They don't load automatically during the boot
process. They load by you after the OS has loaded. I have an Asrock
mobo whose BIOS has no setting to disable WPBT, but they provide
user-loaded software to run after Windows boots to do firmware updating.
The *user* decides if and when to run this program. I might've had this
tool installed when first setting up the new build, but I got rid of it.
Instead of a tool to check for updates, and download the installers, I
just go to Asrock's web site to check on updates, investigate what the
update does for me, and then download it and run it. I don't need a
tool to get the update installers. There is a BIOS option for "Internet
Flash", but I should've disabled it when reviewing all the BIOS settings
(can't check now because I have to boot to get into BIOS settings).

As far as securing the mobo firmware, well, if you can run software (or
Gigabyte during boot) then so can malware. The same program you run to
flash the firmware is the same code that malware could use. However,
the trick is to con the user into allowing the update, and Gigabyte
apparently took away that safety step.

Although the Fox article is dated today (June 11), it is old.

https://www.bleepingcomputer.com/news/security/gigabyte-releases-new-firmware-to-fix-recently-disclosed-security-flaws/

Dated June 5, and says a firmware update was released 5 days earlier.
Also notes:

"The WPBT allows vendors and OEMs to run an .exe program in the UEFI
layer. Every time Windows boots, it looks at the UEFI, and runs the
.exe. It's used to run programs that aren't included with the Windows
media," explains Microsoft.

So, it is NOT a firmware-based auto-updater. It is a file desposited
into UEFI which if found /after/ Windows boots then Windows will run.
The above article says how to disable the feature in Gigabyte's BIOS
settings, so *TURN IT OFF*, and /you/ decide when you have prepared to
check for firmware updates, check if they really apply to you, and apply
them knowing you risk the brain surgery committed on your mobo.

I'm hunting around for how to disable Windows Platform Binary Table
(WPBT) available in Windows 8+. So far, I found:

https://github.com/Jamesits/dropWPBT

You can use Nirsoft's FirmwareTablesView to see the firmware tables
(ACPI, SMBIOS), but I'm yet not sure what to look for, you're just
viewing, and where the .exe is stored in UEFI is not identified.

https://www.nirsoft.net/utils/firmware_tables_view.html

I don't see a WPBT labelled ACPI table in the list from Nirsoft's tool.
As I recall, Windows 7 was the first OS on this computer build, and WPBT
didn't show up until Windows 8, and later.

More info on Windows Platform Binary Table (WPBT) at:

https://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx

WPBT is Microsoft's rootkit method. Can be used for firmware updates,
anti-theft software, or whatever the UEFI-embedded .exe does.

"Everyone Gets A Rootkit"
https://eclypsium.com/research/everyone-gets-a-rootkit/

They mention using Windows Defender's App Control feature to mitigate
the WPBT vulnerability (if it exists for your mobo). See:

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview

So, instead of keeping the barn door closed and controlling horses can
exit through the barn door, you close the gate to a fence surrounding
the barn, and control which horses can go through the gate. But you
have the problem of not knowing which horses to exit through the fence
gate ("How Odysseus Tricked Polyphemus the Cyclops to Escape",
https://www.greekboston.com/culture/mythology/odysseus-tricked-polyphemus/).

Rather than go through all that shit, I'll just check my BIOS has no
auto-update settings to its firmware, and see if it's easier to disable
WPBT to eliminate the vulnerability from the Windows end.

https://michlstechblog.info/blog/windows-identify-a-wpbt-binary-in-biosuefi/

To identify if your Windows system is executing a WPBT binary check if
file C:\Windows\system32\wpbbin.exe exists.

The idea is to delete or rename the file, but I've seen other articles
(one of which I cited) that says the absence of this file is not
definitive proof WPBT won't happen after booting into Windows, and
Windows finding the .exe in the ACPI WPBT table. I don't have this
file, but I want better assurance WPBT is dead on my setup. Microsoft
might install a different executable in an update, or have some sneaky
way to effect WPBT without this particular file.

On 2023-06-11 22:03, Paul wrote:
> On 6/11/2023 3:23 PM, Carlos E.R. wrote:
>> On 2023-06-11 21:18, Johnny wrote:
>>>
>>> Published June 11, 2023
>>>
>>> A cybersecurity company called Eclypsium has made a startling
>>> discovery. They found a hidden backdoor in the firmware of motherboards
>>> (the main circuit board in a computer) made by a Taiwanese company
>>> called Gigabyte, and this backdoor makes the motherboards easily
>>> accessible for hackers to break into.
>>>
>>> Gigabyte apparently integrated a Windows executable file into the
>>> firmware of its motherboards. This file is executed when the computer
>>> starts up, meaning that each time you restart your computer, the
>>> firmware's code activates Gigabyte's app center. This app center then
>>> proceeds to download and run a file from the internet.
>>
>> I'd appreciate some technical language, instead of layman first grader
>> speak.
>>
>> What you posted is impossible to decipher.
>>
>>>
>>> Continued:
>>>
>>> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
>
> https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
>
>    "Our follow-up analysis discovered that firmware in Gigabyte systems is
>     dropping and executing a Windows native executable during the system
>     startup process, and this executable then downloads and executes
>     additional payloads insecurely. It uses the same techniques as other
>     OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent)
>     abused by threat actors and even firmware implants such as Sednit LoJax,
>     MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code
>     is present in hundreds of models of Gigabyte PCs. We are working with
>     Gigabyte to address this insecure implementation of their app center capability."
>
> Here is an example of a Computrace dropper (attack from BIOS). Computrace
> would be popular in laptop design. Computrace got right to the point,
> mounted
> the file system and overwrote autochk.exe :-)
>
> https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf
>
> By flash-updating the BIOS, as long as the structures and code are
> removed, there will be no "new occurrences". But you would not know
> whether a persistent threat had been put onboard or not. It would depend
> on what the dropper did to gain a foothold.

That's better, thanks.

Having a windows executable in the firmware is interesting. Would Linux
computers be at risk? Maybe they haven't even considering the issue at
Eclypsium:

2. Eclypsium has released a PowerShell script to Github
that can assist in determining whether a system is impacted.

So, a Linux machine can not be analyzed.

Stage 2: Downloading and running further executables

Plain HTTP (the first bullet above) should never be used for
updating privileged code as it is easily compromised via
Machine-in-the-middle (MITM) attacks. However, we noticed
that even when using the HTTPS-enabled options, remote server
certificate validation is not implemented correctly.
Therefore, MITM is possible in that case also.

They are really daft these people! How can they be this incompetent in
the XXI?

--
Cheers, Carlos.

"Carlos E.R." <robin_listas@es.invalid> wrote:

> Having a windows executable in the firmware is interesting. Would Linux
> computers be at risk?

See my other reply (to Johnny). It's a Windows 8+ "feature": Windows
Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
an .exe into the WPBT ACPI table, and Windows (after booting) will run
the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
(well, along with UEFI). You would have to check if Linux after booting
will load executables stored in the UEFI.

On 2023-06-11 23:02, VanguardLH wrote:
> Johnny <johnny@invalid.net> wrote:
>
>> Published June 11, 2023
>>
>> A cybersecurity company called Eclypsium has made a startling
>> discovery. They found a hidden backdoor in the firmware of motherboards
>> (the main circuit board in a computer) made by a Taiwanese company
>> called Gigabyte, and this backdoor makes the motherboards easily
>> accessible for hackers to break into.
>>
>> Gigabyte apparently integrated a Windows executable file into the
>> firmware of its motherboards. This file is executed when the computer
>> starts up, meaning that each time you restart your computer, the
>> firmware's code activates Gigabyte's app center. This app center then
>> proceeds to download and run a file from the internet.
>>
>> Continued:
>>
>> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
>
> A Windows executable file. That means the OS has to be available to
> support running a Win32 executable. Well, if Windows gets loaded by the
> BIOS then what's the point of later re-loading it after the POST screen?

AFAIK it is loaded by UEFI before Windows loads. You can't stop it.

--
Cheers, Carlos.

On 2023-06-11 23:15, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> Having a windows executable in the firmware is interesting. Would Linux
>> computers be at risk?
>
> See my other reply (to Johnny). It's a Windows 8+ "feature": Windows
> Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
> an .exe into the WPBT ACPI table, and Windows (after booting) will run
> the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
> (well, along with UEFI). You would have to check if Linux after booting
> will load executables stored in the UEFI.

It might.

A machine sold with Linux installed by the manufacturer might include
this feature. I have not heard of such a thing, but I think it is possible.

--
Cheers, Carlos.

"Carlos E.R." <robin_listas@es.invalid> wrote:

> AFAIK it is loaded by UEFI before Windows loads. You can't stop it.

Nope. The .exe is deposited into the WPBT ACPI table in UEFI, and
Windows, after booting, will run wpbbin.exe to check if there is an .exe
there, and if so run the .exe under the Windows OS.

An .exe alone (no OS) wouldn't run. It would have to be a machine code
program (specific to the mobo hardware) that still some dispatcher would
have to load into memory to run the machine code. From the
vulnerability description, it's a Win32 .exe file which requires it get
loaded by Windows' dispatcher into memory and execution started along
with support from the Win32 and C runtimes provided by Windows. That's
why it's called a Windows executable stored in the UEFI. The program
file is there, but an OS has to load to load and run it.

Carlos E.R. wrote:

> I'd appreciate some technical language, instead of layman first grader
> speak.
> What you posted is impossible to decipher.

<https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/>

The bios extracts a .exe from itself at boot time, copies it o hard
drive, when run, the exe downloads further updates from gigabyte
website, but in an insecure way that could be compromised ...

Carlos E.R. wrote:

>
>      2. Eclypsium has released a PowerShell script to Github
>      that can assist in determining whether a system is impacted.
>
> So, a Linux machine can not be analyzed.

powershell does run on Linux, but I doubt Eclypsiumm have written/tested
their script in that manner.

On 6/11/23 16:15, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> Having a windows executable in the firmware is interesting. Would Linux
>> computers be at risk?
>
> See my other reply (to Johnny). It's a Windows 8+ "feature": Windows
> Platform Binary Table (WPBT) - a built-in UEFI-based rootkit. Deposit
> an .exe into the WPBT ACPI table, and Windows (after booting) will run
> the .exe if found -- ANY .exe that's there. It's a Windows 8+ thing
> (well, along with UEFI). You would have to check if Linux after booting
> will load executables stored in the UEFI.

IIRC, Linux doesn't do anything with .EXE files unless WINE is
installed, and WINE has limitations. Maybe it won't run the malware.

On 6/11/2023 1:18 PM, Johnny wrote:
>
> Published June 11, 2023
>
> A cybersecurity company called Eclypsium has made a startling
> discovery. They found a hidden backdoor in the firmware of motherboards
> (the main circuit board in a computer) made by a Taiwanese company
> called Gigabyte, and this backdoor makes the motherboards easily
> accessible for hackers to break into.
>
> Gigabyte apparently integrated a Windows executable file into the
> firmware of its motherboards. This file is executed when the computer
> starts up, meaning that each time you restart your computer, the
> firmware's code activates Gigabyte's app center. This app center then
> proceeds to download and run a file from the internet.
>
> Continued:
>
> https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk
I once was helping look at the feasibility of moving a modeled and
verified security kennel from older hardware to a more modern CPU such
as a Pentium. For fun, I read the current (at that time) ACPI spec. It's
the kind of reading that hurts the eyes and makes you want to run
outside and forget computers. A few years later, I read through an
updated spec. Ugh. Those specs were the basic definition of plug and
play and power management for most existing computers today.

There was a most interesting feature in those specs that is relevant to
this thread: a conforming implementation must provide a script language
(well defined within the specs) that could be used to write the code for
some or most layers of drivers. The runtime for that language could and
often was an interpreter though various amounts of compilation were
envisioned - compile to something that looked like P-code or Java all
the way up to native machine code. The kicker was how the code could be
introduced to the system. There seemed to be two possibilities:

1. The driver writer used it to package OS specific drives - the kind of
things you get on a CD with your device or by download.

2. The device "hands" the code to the OS during one of the enumeration
passes.

Option one was clearly in play. However, it seemed that so was Option
two. Option two blow any sort of formal verification "reuse" out of the
water. (Remember I was investigating moving a formally verified kennel
and trying to maintain the certification.) I tried to get more
information as to Option two but was not successful.

Note that Option two is a way for a device to stuff code into an OS at a
level where it can do anything it pleases! Could this be what was going
on at Gigabyte? Where they just obeying the ACPI spec?

If anyone has some more specific information about all of this, I'd love
to hear it.
--
Jeff Barnett

On 2023-06-12 23:05, Jeff Barnett wrote:
> On 6/11/2023 1:18 PM, Johnny wrote:

....

> Note that Option two is a way for a device to stuff code into an OS at a
> level where it can do anything it pleases! Could this be what was going
> on at Gigabyte? Where they just obeying the ACPI spec?

UEFI spec.

--
Cheers, Carlos.

On 6/13/2023 5:51 AM, Carlos E.R. wrote:
> On 2023-06-12 23:05, Jeff Barnett wrote:
>> On 6/11/2023 1:18 PM, Johnny wrote:
>
> ...
>
>> Note that Option two is a way for a device to stuff code into an OS at a level where it can do anything it pleases! Could this be what was going on at Gigabyte? Where they just obeying the ACPI spec?
>
> UEFI spec.
>
And the term would be "exploiting the UEFI spec".

*******

While you're sitting there, UEFI is running at the
same time as your OS is running. SMI interrupt, raised
maybe 30 times a second, allow UEFI to run for short
intervals, and adjust power converters and voltages.
And these are "UEFI", because we have to associate
some firmware entity with the responsibility. SMI
(system management interrupt) and System Management Mode (SMM),
is a high priority interrupt, higher than the clock tick
(if clock ticks are being used), and capable of usurping the OS.

There are lots of details about modern hardware that
need documentation.

In this picture, I am using a whizzy piece of software,
just for a readout, to see what my machine is doing. The
fan speed (not shown), varies in real time, and the noise
of the fan correlates with some of the dials in this. This
watches as UEFI adjusts the knobs in the (SMI) background.

[Picture]

https://i.postimg.cc/wjGtvFXK/automatic-cooling-system-readout.gif

One reason it says on the CPU box "water cooling recommended", is
the full frequency range is "exposed" if you have sufficient cooling.
If your cooling isn't quite there (my cooler is a little weak
on purpose), then the adjustment process will not run the CPU
at peak frequency. With a water cooler attached, there would
be more "headroom" for the adjuster to work.

The sad part, is when you visit Tomshardware with your web browser,
there is enough Javascript railing a core, to really make the fan noisy.
Carrying out other tasks, running on all cores, the fan is not
quite as noisy (since the system is now "resource limited"). Without
looking, I can now tell which sites have an "excess of advertising".
I just listen to the fan.

I expect the same sort of function, on Intel boards, but with a
different sensor suite inside the hardware.

Speedfan no longer works on my board (no driver for the SuperIO).
Even Linux "sensor" package, cannot read out anything! (A linux
guy does have a driver, but it's not in the kernel at the moment.)

So right now, the AMD software is all I've got. (The MSI mobo package,
if there is one, is "too big" to be loading onto the machine.
The AMD one is bad enough in this regard, on its own, and is
more than 100MB.) And all of the companies want to "spy on your
usage pattern", so you have to remember to untick the box about
reporting to headquarters.

Paul