Conti spotted working on exploits for Intel Management Engine flaws

Don't leave those firmware patches to last

The notorious Conti ransomware gang has working proof-of-concept code to exploit low-level Intel firmware vulnerabilities, according to Eclypsium researchers.

Recently leaked Conti documents show the criminals developed the software more than nine months ago, and this is important because exploiting these kinds of weaknesses expands the extend and depth of an intrusion, the firmware security shop's analysis noted.

Specifically, we're told, Conti came up with code that targeted the Intel Management Engine (ME), a tiny hidden computer – with its own CPU, OS and software – within a processor chipset that runs independently from the main cores and provides various features including out-of-band management. The ME has total control over the box, so if you manage to compromise the ME, you'll be able to persistently infect and affect the machine below the operating system and its defenses.

The leaks show that the gang was fuzzing the ME to find undocumented commands and vulnerabilities. As a side note: although Conti engineers were looking for new ME vulns, the Eclypsium researchers have published a list of known ME flaws (plus related Intel advisories and CVEs) that enable remote code execution or privilege escalation. So it would be wise to take a quick break from reading this and make those fixes now if you haven't already.

A typical attack on the ME would work like this: either you get code execution on a victim's machine via something like an email attachment that contains malware and exploit a vulnerable software interface with the engine; or you pull off some kind of remote-code execution exploit against the ME. It's most likely a miscreant aiming for the ME will want to use it to turn an ordinary infection or compromise into a long-lasting, hard-to-detect one by drilling down into the ME after gaining code execution on a machine.

Once running at the ME level, an attacker can potentially tamper with the UEFI/BIOS firmware and/or run code in System Management Mode (SMM). SMM is a highly privileged environment, even more so than the ring-0 operating-system kernel. The OS can't examine the SMM nor prevent it from executing code, so if an intruder manages to make it into that, they can spy on and alter the box as they want.

This type of firmware attack could lead to all kinds of damage, from bricking the system to wiping high-value files. It would also allow Conti, for instance, to maintain persistence on a system to access and steal sensitive data and deploy ransomware or other payloads at a later date. And because the crooks' access sits below the OS, security tools such as antivirus or EDR don't provide much protection.

While Eclypsium today noted that "no new or unmitigated vulnerabilities have been identified, and that Intel chipsets are no more or less vulnerable than any other code," the problem remains that many organizations don't update their chipset firmware as frequently as they do other software or UEFI/BIOS system firmware. 

"This can leave some of the most powerful and privileged code on a device susceptible to attack," the researchers warned. Plus, because the PoC is nearly a year old at this point, "we expect that these techniques will be used in the wild in the near future if they haven't already." ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading

Biting the hand that feeds IT © 1998–2022