Cybercriminals look to exploit Intel ME vulnerabilities for highly persistent implants | #computerhacking | #hacking

Leaked internal chats from the Conti ransomware gang suggests the group has been researching and developing code to compromise the Intel Management Engine (Intel ME), the out-of-band management functionality built into Intel chipsets. The goal of this technique is to install malicious code deep inside computer firmware where it cannot be blocked by operating systems and third-party endpoint security products.

Firmware implants are powerful and are usually used in high-value operations by state-sponsored hacker groups. However, over the past couple of years cybercriminal gangs have also shown an interest, with developers of the notorious TrickBot botnet adding an UEFI attack module in 2020. According to new research by security firm Eclypsium, the Conti ransomware group developed proof-of-concept code to exploit Intel ME firmware and gain code execution in System Management Mode, a highly privileged execution environment of the CPU.

What is Intel ME?

The Intel Management Engine is a subsystem that’s present in many Intel chipsets and consists of a dedicated coprocessor and real-time operating system that’s used for out-of-band management tasks. Intel ME is essentially a computer inside a computer and is completely separate from the user-installed OS that uses the main CPU. Depending on chipset and CPU generation, variations of the Intel ME technology are known as the Intel Converged Security and Management Engine (CSME) or Intel Trusted Execution Environment.

Not only does Intel ME run independently of the main CPU and OS, it also has a lot of control over them and potentially a way to access the UEFI, the low-level firmware in modern computers that’s in charge of initializing hardware devices, starting the bootloader and ultimately the main OS.

In February, following Russia’s invasion of Ukraine, a researcher leaked many logs from Conti’s internal chat system. By analyzing those logs, researchers from Eclypsium found discussions about targeting Intel ME, through known and previously unknown vulnerabilities to indirectly gain access to UEFI.

This is important for several reasons. Some legitimate APIs allow reflashing the UEFI firmware from inside the primary OS, for example for the purpose of updates. However, a properly configured UEFI performs cryptographic signature verification for updates and has write protections enabled. Furthermore, such attempts to reflash the UEFI can be detected and blocked by security software running inside the operating system.

Copyright © 2022 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

eighty five − seventy seven =