Jump to content
  • Conti ransomware targeted Intel firmware for stealthy attacks


    Karlston

    • 1 comment
    • 629 views
    • 3 minutes
     Share


    • 1 comment
    • 629 views
    • 3 minutes

    Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks.

     

    According to messages exchanged between members of the cybercrime syndicate, Conti developers had created proof-of-concept (PoC) code that leveraged Intel’s Management Engine (ME) to overwrite flash and gain SMM (System Management Mode) execution.

     

    The ME is an embedded microcontroller within Intel chipsets running a micro-OS to provide out-of-band services. Conti was fuzzing that component to find undocumented functions and commands they could leverage.

     

    From there, Conti could access the flash memory that hosted UEFI/BIOS firmware, bypass write protections, and perform arbitrary code execution on the compromised system.

     

    The final goal would be to drop an SMM implant that would run with the highest possible system privileges (ring-0) while practically undetectable from OS-level security tools.

     

    message.png

     

    Excerpt from the leaked chats (translated) (Eclypsium)

     

    It is important to note that contrary to TrickBot’s module that targeted UEFI firmware flaws, aiding Conti infections and later undertaken by the ransomware group, the new findings indicate that the malicious engineers were striving to discover new, unknown vulnerabilities in the ME.

    Firmware attacks in ransomware

    For a firmware attack to be possible, the ransomware actors would first need to access the system via a common pathway such as phishing, exploiting a vulnerability, or performing a supply chain attack.

     

    After compromising the ME, the attackers would have to follow an attack plan based on what “out-of-write protection” regions they are allowed to access, depending on the ME implementation and various restrictions/protections.

     

    Eclypsium says these could be either access to overwrite the SPI Descriptor and move the UEFI/BIOS outside the protected area or direct access to the BIOS region.

     

    diagram(6).png

    Using ME to access non-protected BIOS regions (Eclypsium)

     

    There’s also the scenario of the ME not having access to either, in which case the threat actors could leverage Intel's Management Engine to force a boot from virtual media and unlock PCH protections that underpin the SPI controller.

     

    Conti could use this attack flow to brick systems permanently, gain ultimate persistence, evade anti-virus and EDR detections, and bypass all security controls at the OS layer.

    Conti gone, but code still alive

    While the Conti operation appears to have shut down, many of its members have moved to other ransomware operations where they continue to conduct attacks.

     

    This also means that all the work done to develop exploits like the one spotted by Eclypsium in the leaked chats will continue to exist.

     

    As the researchers explain, Conti had a working PoC for these attacks since last summer, so it’s likely that they already had the chance to employ it in actual attacks.

     

    The RaaS might return in a rebranded form, the core members might join other ransomware operations, and overall, the exploits will continue to be used.

     

    To protect from the threats, apply the available firmware updates for your hardware, monitor ME for configuration changes, and verify the integrity of the SPI flash regularly.

     

     

    Conti ransomware targeted Intel firmware for stealthy attacks

    • Like 2

    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...