Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Gigabyte. Show all posts
Submarine
Black Web Cyber Attacks Cyberbreach Cyberhackers CyberThreat Dark Web Gigabyte Naval Group Submarine

Hackers Compromise French Submarine Engineering Company



One of the most chilling reminders of how threat landscapes are evolving even to the most fortified sectors is a major cyber breach that has hit the core of France’s naval defence ecosystem, the Naval Group. Naval Group—widely regarded as one of the nation’s key innovators in the maritime industry—has been compromised by a calculated cyberattack that compromised its reputation for operational secrecy. 

Almost 13 gigabytes of highly sensitive data, including technical documentation, submarine combat software components, internal communications, as well as decades-old audio recordings from submarine monitoring systems, were discovered on the internet. It was discovered that virtual machine containers, detailed architecture schematics, and proprietary system blueprints belonging to Naval Group engineers were found in the leak, as well as virtual machine containers. 

A silent and strategic adversary was responsible for the intrusion, as it lacked digital vandalism or extortion demands. In spite of the fact that attribution is still unclear, there is speculation that nation-state actors could have been involved in espionage as well as independent threat groups that were seeking disruption or strategic leverage. 

However, what remains undeniable is the scale and intent of the breach. This was a precise attack against an impenetrable defence network that was once considered impenetrable and unbreakable. Adding to the fragility of national defence and digital security, French naval defence contractor Naval Group has been the target of scrutiny after claims of a significant cyberattack that have raised concerns about the company's operations.

An anonymous group operating on the dark web, known as the Black Web forum, has claimed it has accessed and exfiltrated classified information related to key French naval platforms, including the nuclear-powered submarines of the Barracuda class. A month ago, the group released approximately 30 gigabytes of data, including software code from combat management systems, and issued a demand that they be contacted within 72 hours or risk leaking more information. 

Despite the fact that the authenticity of these files is still uncertain, cybersecurity experts warn that even partial exposure to such sensitive source code could allow adversaries to gain valuable insight into the performance of weapons, their system architecture, and any vulnerabilities they may be able to exploit. It has been confirmed that Naval Group, owned by the French government in the majority, has begun an urgent technical investigation into the alleged breach. 

In response to the incident, the company spokesperson described it as a PR attack rather than a confirmed intrusion into its internal infrastructure, stating that operations across shipyards and naval projects remain undisturbed. However, the strategic implications of this incident remain significant. With the creation of some of France's most advanced maritime defence assets, including the Charles de Gaulle aircraft carrier and the Triomphant submarines, Navy Group has played a crucial role in the nation's defence and that of allies. 

The potential impact of a confirmed compromise could include both the threat to homeland security as well as the threat to international trade agreements between Australia, India, and Brazil. The Ministry of Armed Forces has yet to release a statement on the matter, but it has been reported that French cybersecurity agencies are helping to conduct the forensic analysis. In light of increasing concerns about global security in the defense supply chain, Naval Group has issued a formal statement stating that no intrusion has yet been detected on its internal information technology infrastructure, as of yet. 

In a statement, the company announced that all of its resources had been mobilised to investigate whether the recently leaked data are authentic, provenance, or owned by the Indian Navy, as they had partnered with Mazagon Dock Shipbuilders to deliver six Scorpene-class submarines to the Indian Navy. In order to conduct the forensic investigation, we are collaborating with French authorities. 

A similar incident occurred in 2016, when more than 22,000 classified pages of India's Scorpene submarines were leaked, raising serious concerns over the integrity of India's underwater warfare capabilities, a breach that has echoed this recent incident. 

A recent breach could have far-reaching implications, as well as threaten the operational security of other nations that operate Scorpene-class submarines, such as Malaysia, Indonesia, and Chile, if it is verified. According to analysts, such a compromise would have a devastating effect on the international defence manufacturing ecosystem, undermining trust in the protection of military technologies and exposing transnational arms collaborations to systemic vulnerabilities. 

Geopolitical tensions are increasingly raging in grey zone conflict - a territory where cyberattacks and information warfare blur the line between peace and hostility, as global defence contractors are becoming very valuable targets. The Naval Group is a cornerstone of France's naval industrial base and is now found at the nexus of this strategic vulnerability. 

In addition to providing advanced maritime platforms worldwide to nations like France, France's Nuclear Attack submarines (SSNs) and the Scorpene-class diesel-electric submarines (SSKs) in service with the Indonesian Navy, the company is also a major supplier of advanced military systems. There are also multipurpose French-Italian frigates, the FREMM, which are based in France. 

In addition to serving as a technological leader and economic engine, Naval Group also supports tens of thousands of indirect jobs in France since 90% of its added value is generated within the country. The ownership structure of the company further reflects its national significance as well. 62.25 per cent of the company's shareholdings are held by the French state, 35 per cent by Thales, and the rest by its former employees through structured corporate shareholdings. 

As strategic autonomy becomes increasingly important in a world where defence is regarded as an important component of economic growth, entities such as Naval Group symbolise more than just the capability to defend oneself; they represent a nation's industrial and strategic sovereignty in an era when strategic autonomy is increasingly emphasised. 

In spite of a growing number of high-profile cyber intrusions that target both corporations and governments, the allegations of a breach involving Naval Group are yet another disturbing global trend. Days before, Microsoft disclosed a critical vulnerability in its widely used SharePoint platform, which is believed to have been exploited by Chinese threat actors to gain access to this platform. 

Among the affected entities was the U.S. It is the responsibility of the National Nuclear Security Administration to maintain the American nuclear arsenal. This incident did not compromise any classified information, however the growing frequency and ambition of such attacks have raised alarm within international security communities because of the increased frequency and ambition. 

With a workforce of more than 15,000 and generating revenue over €4.4 billion annually, Naval Group stands out as one of the world’s leading naval shipbuilders in an increasingly volatile threat landscape. It is an essential industrial asset for the government as a whole. Almost two-thirds of the company is controlled by the French government (holding nearly two-thirds of the equity), and the remainder is controlled by Thales, one of the leading defence conglomerates in the country. 

It is not only the incident that has raised concerns about cyber-vulnerabilities within critical infrastructure, but it also emphasises the importance of coordinating resilient strategies across global defence supply chains to reduce the risk of a cyber attack. This incident involving Naval Group happens to fall at a critical moment in the global cybersecurity landscape, as the digital battlefield has become as important as traditional combat zones in terms of importance. 

Despite the fact that governments and private companies invest billions in safeguarding technological superiority, the threat of real or perceived exposure of sensitive defence assets is amplifying strategic fears. The reputational and diplomatic fallout for France might be substantial, especially if defence partners start questioning the ability of collaborative programs to survive. 

A key concern about the breach is that it has the potential to have a ripple effect: it strikes at the intersection of national security, industrial sovereignty, and global defence cooperation. As a consequence of Naval Group's integral role in multinational defence programs, any compromise could negatively impact not only France but also all of the nations which rely on its software frameworks and platforms. 

It is becoming increasingly clear that in an era dominated by digitally enabled espionage, where classified data can be weaponised both for disruption and to provide intelligence, the protection of defence research and development is no longer a siloed responsibility, but rather a shared imperative across allies and defence ecosystems. 

Aside from that, this breach serves as a stark reminder that cyber intrusions don't necessarily show up in the form of ransomware or defacing websites. There were motives underlying the leak in this case that were geopolitical manoeuvres, competitive sabotage, or intelligence collection, based on the absence of financial extortion and the precision of the leak. Therefore, the Naval Group episode should serve as a call to action for the broader defence community, emphasising the urgent need for robust, coordinated cybersecurity defences, cross-border intelligence sharing, and a renewed commitment to both legacy systems and new defence technologies that are being developed. 

The Naval Group breach, which occurred in a high-stakes theatre of modern security where digital compromises could undermine years of strategic advantage, goes way beyond just an isolated incident in a theatre with high stakes. It represents not only the vulnerability of defence digitisation and the fragility of strategic partnerships, but also the persistent threats posed by adversaries operating in the shadows that exist today.

Read more »
SMM
AI/ML vulnerabilities CyberCrime Cyberhacekrs Cybersecurity CyberThreat Gigabyte malware Ransomware SMI SMM

Gigabyte Firmware Vulnerability Enables Stealth UEFI Malware Infection

According to security researchers, a critical set of vulnerabilities has been identified in UEFI firmware for a number of motherboards manufactured by Gigabyte, causing serious concerns about device integrity and long-term system security, as well as serious concerns regarding device integrity. Binarly, a cybersecurity firm, claims that American Megatrends Inc. (AMI) firmware contains four high-severity flaws which allow threat actors to execute stealthily and persistently. 

In a subsequent analysis, it was found that the identified vulnerabilities were exploitable by attackers who possess either local or remote administrative privileges in order to execute arbitrary code within the highly privileged System Management Mode (SMM) if the attackers possess the right credentials. In addition to operating independently of the host operating system, this execution environment is embedded in the firmware itself and gives the firmware considerable power over the hardware that is behind it. 

Hence, sophisticated threat actors often target this system to gain deeper control over compromised computers and establish long-term persistence through establishing deeper control over compromised systems. The System Management Mode is designed to handle low-level system functions and it is activated very early during the boot process, well before the operating system takes over. 

Consequently, code running within SMM has unrestricted access to critical system resources, including memory, processor instructions, and hardware configurations, because it is isolated and has elevated privileges. It is therefore a perfect target for firmware-based malware, including bootkits, that are capable of edging out traditional endpoint protection tools that rely on visibility at the OS level to detect them. 

A compromised SMM can serve as a launch pad for advanced threat campaigns, allowing attackers to remain stealthy, disable security mechanisms, and even reinstall malware after reboots or operating system reinstalls. As a result of the exploit of this layer, the ability to conduct attacks has increased dramatically, highlighting the necessity for improved firmware security practices, regular updates, and hardware integrity verification within both consumer and enterprise environments in order to minimize potential attacks. 

 The CVSS severity ratings for each of these vulnerabilities -- CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029 -- have each been assigned an average of 8.2 out of 10 and are therefore categorized as high-risk vulnerabilities. Through the exploitation of these vulnerabilities, attackers would be able to elevate system privileges, deploy bootkits, and execute malicious code remotely. 

When malware such as this has been installed, it may be able to obtain deep-rooted persistence at the firmware level, making it extremely difficult for conventional antivirus software to detect or remove. This discovery underscores the growing threat of firmware-based attacks, especially those aimed at UEFI, the Unified Extensible Firmware Interface, which acts as the basis for a computer system’s operating system, especially when attacked at the firmware level. The ability to compromise this layer enables adversaries to take control of a system before the operating system even loads, effectively subverting all system defenses from the ground up. 

Due to the widespread use of Gigabyte motherboards by both consumer and enterprise organizations, the vulnerability has potentially broad implications, especially for those organizations that rely on hardware trust and boot process integrity to operate. As Binarly's findings show, there are not only technical issues with firmware supply chains, but there are also ongoing challenges in ensuring robust validation of firmware throughout the boot process, which are also highlighted by the findings of Binarly. As a result of extensive analysis conducted by Binarly, a leading firmware security company, researchers discovered these vulnerabilities in-depth. 

It was found that Gigabyte's implementation of UEFI firmware was faulty due to the fact that some of the flaws were rooted in Gigabyte's implementation of the UEFI firmware. The original firmware was developed by American Megatrends Inc. It was the responsibility of the researchers to provide the CERT Coordination Center (CERT/CC) with responsible disclosures of the findings. 

After a private disclosure of security issues, AMI addressed them, but some downstream firmware builds – particularly those for Gigabyte products – did not incorporate the necessary fixes at the moment of discovery. Binary has identified four different vulnerabilities within the affected firmware, each carrying a CVSS severity score of 8.2. These vulnerabilities are contained in System Management Interrupt (SMI) handlers which are an integral part of the System Management Mode (SMM) environment and when exploited will cause the affected firmware to crash. 

Specifically: 

There is a CVE-2025-7029 vulnerability in the OverClockSmiHandler, which can be exploited to elevate privileges within Systems Management Manager while exploiting the flaw. In order to exploit CVE-2025-7028, malware is likely to be installed by unauthorized accessing System Management RAM (SMRAM), a critical memory region. This vulnerability is likely to allow malware to be installed by unapproved means. 

Using CVE-2025-7027, an SMM privilege escalation vulnerability as well as arbitrary code injection into SMRAM is enabled, which compromises the integrity of the firmware as a whole. A vulnerability such as CVE-2025-7026 allows arbitrary write access to SMRAM, opening the way to long-term persistence because it allows attackers to remotely manipulate the firmware layer and exert full control over it. 

It has been reported by Binarly that the vulnerabilities affect more than 240 Gigabyte motherboards, including numerous revisions, regional variants, and product iterations which were released between late 2023 and mid-August 2024, according to Binarly. In spite of the fact that Binarly representatives admit that there are currently over a hundred distinct product lines known to be vulnerable to this vulnerability, the exact number of units affected remains fluid. 

These firmware-level flaws appear to also be affecting other enterprise hardware manufacturers, although the identities of these companies have not yet been disclosed. There has been a report from vendors that they have withheld disclosure until appropriate security patches are developed and deployed in order to mitigate customer risk. A report by Binarly revealed that the vulnerabilities that have been identified by the company affect several of its legacy Intel-based motherboards, including the H110, Z170, Z270, Z370, Z390, and Z590 models.

It appears that newer models of Gigabyte's platforms are not affected by these vulnerabilities, however, new BIOS updates are currently being rolled out for supported devices. It is important to note that end-of-life devices will not receive automatic firmware updates, which leaves the users of those systems with a responsibility to initiate remediation efforts. For tailored assistance, Gigabyte recommends contacting their regional Field Application Engineers for further information. 

 A CERT Coordination Center (CERT/CC) advisory issued last week strongly reminded users that they should visit the Gigabyte support portal to verify whether updated firmware is available and to apply patches without delay in order to avoid security issues --especially if they use hardware that is not supported by Gigabyte. According to CERT/CC, these aren't theoretical vulnerabilities. Instead, they represent a credible and active threat that can be exploited in stealthy, long-term system compromises. Hence, it is imperative that users and organizations act immediately to protect themselves.

American Megatrends Inc (AMI) addressed these issues in the past following private disclosures, however CERT/CC emphasized that the flaws remain in certain OEM implementations, such as those manufactured by Gigabyte, despite these previous disclosures. The above situation highlights a critical weakness in the firmware supply chain—a gap that requires more rigorous downstream verification of AMI's fixes by hardware vendors so that they will be properly integrated and tested. 

In addition to that, Binarly cautioned that System Management Mode (SMM) remains a very attractive attack vector for advanced threat actors because it has elevated privileges and is isolated from the operating system, making it a particularly popular attack vector. The use of this layer allows malicious software to operate covertly beneath the Operating System. As a result, it is incredibly difficult for traditional security tools to detect and remove malware from the system. Security experts shared these concerns as well. 

A firmware-level vulnerability described by Gunter Ollmann, CTO of Cobalt cybersecurity firm, is considered a nightmare scenario for enterprise security professionals. A compromise that takes place below the operating system but is not visible under the surface is the ultimate “ghost in the machine”—a compromise that occurs beneath the operating system and is not visible in conventional ways. 

The security flaws that have been detected indicate persistent, hard-to-detect control over the system, which highlights the importance of companies extending security testing throughout the entire technology stack,” Ollmann said. In his opinion, penetration testing programs should include firmware-level targets as well as ensure red team operators have the abilities to assess hardware-level security threats. A number of developments have occurred as a result of this, and organizations are advised to apply BIOS updates immediately upon release, as well as to phase out unsupported legacy hardware as soon as possible. 

In order to implement a solid hardware security strategy, people should begin by conducting regular firmware audits, working closely with hardware vendors, and conducting deeper security assessments at the firmware level. This situation is particularly concerning since some of the impacted Gigabyte platforms have been marked as end-of-life (EOL) and are no longer eligible for security updates, which means they are always vulnerable to exploitation, leaving them permanently vulnerable. A number of such devices are expected to remain vulnerable indefinitely, resulting in long-term security blind spots for both individuals and enterprise environments still using outdated technology, according to Binarly CEO Alex Matrosov. 

Despite the severity of firmware-level threats, cyber security experts continue to emphasize the importance of these kinds of vulnerabilities, and Gunter Ollmann, the Chief Technology Officer at Cobalt, described these types of vulnerabilities as "a nightmare scenario" for defense teams. "This is the ultimate 'ghost in the machine'—a compromise which takes place below the operating system and exploits a layer of the system that is inherently trusted, and thus is largely invisible to traditional security tools," Ollmann explained in an interview with Help Net Security. 

The evolution of attacker tactics has led to the necessity of more comprehensive testing across the entire technology stack as a result. The scope of security assessments needs to be increased to include firmware-level vulnerabilities, as well as having red teams equipped with the expertise necessary to analyze threats lurking at hardware interfaces in particular. 

A further complexity of the issue is the coordination of the firmware supply chain, which contributes to its complexity. Despite the fact that American Megatrends Inc. (AMI) has privately addressed these vulnerabilities and shared information about the remediation with downstream partners under nondisclosure agreements, it is becoming increasingly apparent that some OEM vendors have not yet completely implemented or validated their own firmware releases to address these vulnerabilities. 

There is a systemic challenge in ensuring a consistent security environment across a wide range of hardware ecosystems, which is highlighted by this gap, and this highlights a need for greater collaboration and transparency among firmware developers, OEMs, and security researchers to ensure this is the case. As a conclusion, the fact that firmware security remains a crucial element of system protection, but it is often overlooked but still of major importance. 

In the context of the continuing innovation of attackers below the operating system-where detection is minimal and trust is implicit-organizations are faced with the need to adopt a holistic, proactive security posture to deal with these threats. Firmware should not be treated as a static component of an infrastructure, but instead as a living entity that requires continuous inspection, patching, and risk assessments from stakeholders. 

Firmware validation should be formalized and incorporated into enterprise vulnerability management workflows, OEM partners should be made more transparent and responsive, and security programs should be developed cross-functionally that cover the entire hardware-software stack in order to effectively manage vulnerabilities. 

Furthermore, the importance of investing in specialized skill sets cannot be overstated—securing teams must be able to assess low-level threats, perform firmware penetration tests, and audit supply chain practices rigorously, so they are equipped with the necessary skills. With today’s rapidly evolving threat landscape, neglecting firmware is no longer a tolerable blind spot; it is becoming a strategic liability for companies.

Read more »
ransomware attacks
Cyber Security Gigabyte Ransomware ransomware attacks

Taiwanese Computer Hardware Company Gigabyte Suffers Ransomware Attack

 

Gigabyte, a motherboard developing company from Taiwan and also a hardware giant was attacked by the RansomExx ransomware hacking group, who has blackmailed to leak 112 GB of hack data if the organization doesn't pay the ransom. Gigabyte is famous for making motherboards, but also builds other computer hardware and components, like laptops, monitors, graphic cards, and data center servers. The ransomware attack happened earlier this week which compelled the company to close down its systems in Taiwan. 

Besides this, the attack compromised multiple websites of Gigabyte, which includes support systems and website portions of the company. Customers have complained of having issues while accessing support docs or getting updated information on Ram's. The reason is most probably due to the ransomware attack. "The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they became more active. RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers," said Bleeping Computers. 

As per United Daily News (a Chinese news organization), Gigabyte revealed about the company suffering cyberattack which affected its servers. After finding unusual activity on its company network, Gigabyte closed down its IT systems and informed law agencies. However, Gigabyte itself has not officially confirmed which organization is behind the attack, but Bleeping Computers believe that it was carried out by the RansomExx gang. RansomExx hackers while encrypting a network attach ransom notes to each encrypted system. 

The ransom notes include a link to a private page accessible only to the victims to check the decryption of a file and to provide an email address for doing ransom negotiations. Bleeping Computer reports "like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials. Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortion."
Read more »
Subscribe to: Posts (Atom)