Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs.
So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited if an attacker tricks a sysadmin into providing administrative credentials.
As Redmond points out, the new wrinkle doesn't create a new attack vector, but rather it “misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications”.
The feature being misused is AMT's Serial-over-LAN (SOL), attractive to an attacker because it's independent of the host operating system.
It could be spotted by a separate standalone firewall, but it wouldn't be picked up by a host-based firewall. Another attraction to an attacker is that the embedded processor is designed to provide remote out-of-band capabilities like power cycling and KVM, even if the main processor is powered down.
SOL can also communicate over the LAN if a physical connection exists, regardless of whether networking is enabled on the host.
Microsoft also offers the hypothesis that if Platinum infected a system that didn't have AMT enabled, it could use stolen admin credentials and the technology's host-based provisioning to fire up a subset of AMT (including SOL) using its own credentials.
Whether using stolen credentials and full ATM access, or the limited access offered by a host-based provisioned machine, Platinum then exploited SOL to transfer malware over the LAN.
If you can exploit AMT's serial-over-LAN channel, the operating system won't see you
Microsoft says it worked with Intel to analyse the Platinum variant, and says Windows Defender ATP can detect the activity.
Intel's AMT got unwelcome attention in May, when critical vulnerabilities in the management technology first discovered in March became public. ®