Security

Vxers exploit Intel's Active Management for malware-over-LAN

Platinum attack spotted in Asia, needs admin credentials

6 Got Tips?

Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs.

So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited if an attacker tricks a sysadmin into providing administrative credentials.

As Redmond points out, the new wrinkle doesn't create a new attack vector, but rather it “misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications”.

The feature being misused is AMT's Serial-over-LAN (SOL), attractive to an attacker because it's independent of the host operating system.

It could be spotted by a separate standalone firewall, but it wouldn't be picked up by a host-based firewall. Another attraction to an attacker is that the embedded processor is designed to provide remote out-of-band capabilities like power cycling and KVM, even if the main processor is powered down.

SOL can also communicate over the LAN if a physical connection exists, regardless of whether networking is enabled on the host.

Microsoft also offers the hypothesis that if Platinum infected a system that didn't have AMT enabled, it could use stolen admin credentials and the technology's host-based provisioning to fire up a subset of AMT (including SOL) using its own credentials.

Whether using stolen credentials and full ATM access, or the limited access offered by a host-based provisioned machine, Platinum then exploited SOL to transfer malware over the LAN.

If you can exploit AMT's serial-over-LAN channel, the operating system won't see you

Microsoft says it worked with Intel to analyse the Platinum variant, and says Windows Defender ATP can detect the activity.

Intel's AMT got unwelcome attention in May, when critical vulnerabilities in the management technology first discovered in March became public. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

Keep Reading

Shhh! Microsoft, Intel, Google and more sign up to the Confidential Computing Consortium

You can make your own joke about foxes and hen houses...

Cybercrooks tend to prefer Google-branded phishing to Microsoft-flavoured lures

So says Barracuda Networks, anyway

When you see PWA, Microsoft and Google want you to think Programs With Attitude: Web app release tool tweaked

More native applications we smoke, yo, our rep gets bigger

Microsoft? AWS? Nein und nein. Deutsche Bank signs up with Google Cloud for its latest crack at digital transformation

5 months after request for proposal, Satya and Jeff left to languish on sidelines

QUIC, dig in: Microsoft open-sources MsQuic, its implementation of Google-spawned TCP-killer QUIC

The sequel to Pac-Man was Ms. Pac-Man. And Microsoft’s QUIC library is called MsQuic

Google makes shielded virtual machines its default cloudy option

As Azure adds Intel's much-probed SGX to its confidential zone

You can't hold black horse down: Brit bank Lloyds goes full multi-cloud, signs up with Google as well as Microsoft

Spirited equine gambols from vendor to vendor

Google extends homeworking until this time next year – as Microsoft finds WFH is terrific... for Microsoft

You see, there is a COVID-19 silver lining. For employers. For the rest of us, welcome to the machine

Sure is wild that Apple, Google app store monopolies are way worse than what Windows got up to, sniffs Microsoft prez

Analysis 'Far more formidable gates to access to other applications than anything that existed in the industry 20 years ago'

UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data

Questions linger over involvement of biz linked to Dominic Cummings and Vote Leave campaign

Tech Resources

4 Steps to Prove the Value of Your Vulnerability Management Program

Vulnerability management can feel like an endless climb. Learn how to focus your efforts, prove the value of your program, and gain trust, budget, and recognition in 4 doable steps

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Why Data Growth is Not a Storage Problem

Storage capacity’s running out, backups lengthen, and budgets can’t keep up with the unstructured data deluge. Learn how Komprise's Intelligent Data Management can help you …