Hackers used the Intel Serial-over-LAN CPU feature to bypass the firewall
Researchers at Microsoft were able to detect malicious software that uses Intel Serial-over-LAN (SOL), which is part of the Active Management Technology (AMT) tool, as a bridge to transmit information. SOL technology works in such a way that traffic bypasses the network stack of the local computer, so it is not “seen” and not blocked by firewalls and antivirus software. This allows you to seamlessly retrieve data from infected hosts. / photo Andi Weiland CC
At the beginning of the year Intel already faced
with dangerous vulnerabilities in Intel ME. Then the problem affected Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), Intel Small Business Technology (SBT) and allowed an unprivileged attacker to gain remote access to equipment management. The vulnerability, designated CVE-2017-5689 , the developers of the IT giant patched.
And here is a new situation, but already related to the features of Intel Serial-over-LAN. AMT SOL is part of the Intel Management Engine (ME), a separate processor embedded in the Intel CPU that runs under its own operating system. The technology was introduced in order to simplify the work of system administrators in large companies managing networks with a large number of stations.
Since the AMT SOL interface operates inside Intel ME, it is separate from the main operating system — that is, the environment where firewalls and antivirus software are running. Moreover, AMT SOL works even when the computer is turned off, but still physically connected to the network - this allows you to broadcast data via TCP, which opens up certain opportunities for attackers.
AMT SOL Components ( Source )
AMT SOL functions are disabled by default and only a system administrator can activate them, which reduces the level of risk. However, in large companies, SOL is often used for its intended purpose. Having played on the features of the solution, a group of hackers wrote malicious code that allowed them to steal data through SOL.
Microsoft experts say that behind the malware that uses SOL to steal data, there is the Platinum group, which has been active in South and Southeast Asia for several years. The group was first spotted in 2009 and has since carried out many attacks. It was reported last year that Platinum engagedinstalling malware using hotpatching technology, a mechanism that allows Microsoft to install updates without having to restart the computer.
The SOL protocol implemented in the Platinum tool uses the Redirection Library API (imrsdk.dll). Information is transferred using the calls IMR_SOLSendText () and IMR_SOLReceiveText (), which are analogs of send () and recv (). The protocol used is identical to the TCP protocol, with the exception of the added variable-length header for tracking errors during data transmission (CRC-16 and others). This video shows how the Platinum tool is used to send malware to the system.
It is worth noting that the possibility of such an attack has been discussed before, but so far there have been no attempts to use Intel AMT SOL to output data.
“This is a typical example of how technology, designed to simplify the lives of users or system administrators, turns into a virtual vulnerability,” said Ksenia Shilak, Sales Director, SEC-Consult. - And this, in fact, is bad news: if some vulnerability were used, it could be fixed. And in this case, there is the use of architectural features. "
PS Other related materials from our blog:
with dangerous vulnerabilities in Intel ME. Then the problem affected Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), Intel Small Business Technology (SBT) and allowed an unprivileged attacker to gain remote access to equipment management. The vulnerability, designated CVE-2017-5689 , the developers of the IT giant patched.
And here is a new situation, but already related to the features of Intel Serial-over-LAN. AMT SOL is part of the Intel Management Engine (ME), a separate processor embedded in the Intel CPU that runs under its own operating system. The technology was introduced in order to simplify the work of system administrators in large companies managing networks with a large number of stations.
Since the AMT SOL interface operates inside Intel ME, it is separate from the main operating system — that is, the environment where firewalls and antivirus software are running. Moreover, AMT SOL works even when the computer is turned off, but still physically connected to the network - this allows you to broadcast data via TCP, which opens up certain opportunities for attackers.
AMT SOL Components ( Source )
AMT SOL functions are disabled by default and only a system administrator can activate them, which reduces the level of risk. However, in large companies, SOL is often used for its intended purpose. Having played on the features of the solution, a group of hackers wrote malicious code that allowed them to steal data through SOL.
Microsoft experts say that behind the malware that uses SOL to steal data, there is the Platinum group, which has been active in South and Southeast Asia for several years. The group was first spotted in 2009 and has since carried out many attacks. It was reported last year that Platinum engagedinstalling malware using hotpatching technology, a mechanism that allows Microsoft to install updates without having to restart the computer.
The SOL protocol implemented in the Platinum tool uses the Redirection Library API (imrsdk.dll). Information is transferred using the calls IMR_SOLSendText () and IMR_SOLReceiveText (), which are analogs of send () and recv (). The protocol used is identical to the TCP protocol, with the exception of the added variable-length header for tracking errors during data transmission (CRC-16 and others). This video shows how the Platinum tool is used to send malware to the system.
It is worth noting that the possibility of such an attack has been discussed before, but so far there have been no attempts to use Intel AMT SOL to output data.
“This is a typical example of how technology, designed to simplify the lives of users or system administrators, turns into a virtual vulnerability,” said Ksenia Shilak, Sales Director, SEC-Consult. - And this, in fact, is bad news: if some vulnerability were used, it could be fixed. And in this case, there is the use of architectural features. "
PS Other related materials from our blog:
- World-wide cyberattack: how to avoid becoming a victim and defend against WannaCry ransomware
- Creation of certified and secure infrastructures based on VMware solutions
- vCloud Availability: Deep Immersion in Traffic Replication
- vCloud Director: how to create a secure connection between two organizations
- Top 12 Cloud Security Threats by the Cloud Security Alliance