Yes, you heard that right. No SSL, no TLS there, just plain old open HTTP to grab updates for a protected system item leaving it open to Man-in-the-Middle attacks. This flub might have been a simple oversight, but the fact that it exists in millions of Gigabyte products is simply bad; this is “cross the streams” bad. The problem was found by firmware security company Eclypsium who found the problem back in April 2023. They notified Gigabyte who have acknowledged the issue and issued an update to cover this problem.
Eclypsium said that the behavior mimics other backdoor and UEFI rootkit types of attacks in that the binary exists in the UEFI bios that is then written to disk for execution. As more and more threat actors are looking at the UEFI code as a target for malware due to its access to system devices and that it runs outside of any existing operating systems. If an attacker can send malicious code to an exposed UEFI Bios, they can maintain persistence outside of the OS. Even wiping or replacing the drive will not get rid of something like this and there are few security tools that can detect malware at the UEFI level. They rely on malware that executes in the OS space and not at the low level that the UEFI sits on.
Having a flaw like this has additional concerns as many people and organizations do not push UEFI updates onto systems. They are not part of most update management systems so they get excluded leaving these systems exposed for much longer than they should be. At the consumer level regular updates for Windows and other apps tend to get ignored so a firmware update is not likely to be on the radar. The same goes for the mitigation step for this, which requires a consumer to enter the UEFI setup and disable the “App Center Download & Install” feature if they can even figure out how to get into the UEFI setup.
It seems that there are around 7 million new targets out on the internet that are just waiting to be infected with UEFI malware. There might be a small number of these targets that get properly remediated either through patching or disabling the offending function, but for the most part this will be a target rich environment for a while. Happy patching.