• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Experts warn of backdoor-like behavior within Gigabyte systems

Experts warn of backdoor-like behavior within Gigabyte systems

Pierluigi Paganini May 31, 2023

Researchers discovered a suspected backdoor-like behavior within Gigabyte systems that exposes devices to compromise.

Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems.

The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK. 

Further analysis revealed that this behavior is present in hundreds of models of Gigabyte PCs.

“This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from affected systems.” reads the analysis from Eclypsium. “While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems.”

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

Upon analyzing of the impacted UEFI firmware, the researchers identified a file named

File Name: 8ccbee6f7858ac6b92ce23594c9e2563ebcef59414b5ac13ebebde0c715971b2.bin, which is a Windows Native Binary executable. The executable resides in a UEFI firmware volume.

The firmware writes the executable to disk at the system boot process, this technique is commonly employed by UEFI implants and backdoors.

The executable can be used to carry out malicious activities such as downloading and executing additional payloads.

The Windows executable is a .NET application that downloads and runs an executable payload from one of the following locations, depending on its configuration:

  • http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4
  • https://software-nas/Swhttp/LiveUpdate4

The experts pointed out that the use of HTTP opens the doors to Machine-in-the-middle (MITM) attacks. The researchers also noticed that even when using the HTTPS protocol, the validation of the remote server certificate is not implemented correctly allowing MITM attacks also in that case. 

Compounding the situation, the firmware doesn’t support digital signature verification for the executables.

“The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers).” continues the report. “As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.”

The backdoor-like behavior likely impacts more than three hundred Gigabyte systems

These issues expose organizations wide a wide range of attack scenarios. 

  • Abuse of an OEM backdoor by threat actors.
  • Compromise of the OEM update infrastructure and supply chain.
  • Persistence using UEFI Rootkits and Implants.
  • MITM attacks on firmware and software update features.
  • Ongoing risk due to unwanted behavior within official firmware. 

Eclypsium recommends the following actions to minimize the risk:

  • Scan and monitor systems and firmware updates.
  • Update systems to the latest validated firmware and software.
  • Inspect and disable the “APP Center Download & Install” feature in UEFI/BIOS Setup on Gigabyte systems and set a BIOS password to deter malicious changes.
  • Block the above URLs.

The researchers are working with Gigabyte to address this issue.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gigabyte)


facebook linkedin twitter

Firmware Gigabyte Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT