Jump to content

A Malware is using inbuilt Intel’s CPU feature to steal data


tao

Recommended Posts

Intel AMT SOL exposes hidden networking interface


This is as a result of Intel AMT SOL is an element of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, that runs its own software package.

 

Intel ME runs even once the main processor is powered off, and whereas this feature appearance pretty shady, Intel designed me to supply remote administration capabilities to corporations that manage giant networks of thousands of computers.

 

In ME component stack, AMT provides a foreign management feature for Intel vPro processors and chipsets. The AMT SOL may be a Serial-over-Lan interface for the Intel AMT remote management feature that exposes a virtual serial interface via TCP.

 

Because this AMT SOL interface runs within Intel ME, it’s become independent from the traditional software package, wherever firewalls and security product are provisioned to figure.

 

Furthermore, as a result of it runs within Intel ME, the AMT SOL interface can stay up and useful although the computer is turned off, however, the PC remains physically connected to the network, permitting the Intel me engine to send or receive knowledge via TCP.

 

Cyber-espionage teams, in general, are primarily fascinated by remaining hidden, thus AMT SOL’s firewall bypassing impact was the main reason the group determined to implement it.

 

Fortunately, Microsoft says it had been ready to establish clues within the malware’s operation that might enable its Windows Defender ATP security product to notice it before it accesses and initiates the AMT SOL interface. This provides corporations with a warning that they could are infected with the group’s malware.

 

When contacted by Microsoft, Intel said the platinum cluster wasn’t exploitation any vulnerability within the Intel AMT SOL interface, however, this was another classic case of dangerous guys employing a technology developed for legitimate functions to try and do dangerous things.

 

The good news is that Intel AMT SOL comes disabled by default all Intel CPUs, which means the computer owner or the native systems administrator should change this feature by hand.

 

Link to comment
Share on other sites

  • Replies 8
  • Views 1.4k
  • Created
  • Last Reply
straycat19

The grammar in this article is atrocious, certainly not written by an English speaking person.  Here is a much better and clearer article describing exactly what is happening.

 

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

In the ME component stack, AMT provides a remote management feature for Intel vPro processors and chipsets. The AMT SOL is a Serial-over-Lan interface for the Intel AMT remote management feature that exposes a virtual serial interface via TCP.

Because this AMT SOL interface runs inside Intel ME, it is separate from the normal operating system, where firewalls and security products are provisioned to work.

Furthermore, because it runs inside Intel ME, the AMT SOL interface will remain up and functional even if the PC is turned off, but the computer is still physically connected to the network, allowing the Intel ME engine to send or receive data via TCP.

Intel AMT SOL technology

Cyber-espionage group uses Intel AMT SOL for their malware

The good news is that Intel AMT SOL comes disabled by default on all Intel CPUs, meaning the PC owner or the local systems administrator has to enable this feature by hand.

The bad news is that Microsoft discovered malware created by a cyber-espionage group that abuses the Intel AMT SOL interface to steal data from infected computers.

Microsoft can't say if these state-sponsored hackers found a secret way to enable this feature on infected hosts, or they just found it active and decided to use it.

The feature has been spotted with malware deployed against organizations and government agencies in South and Southeast Asia. The group that deployed this malware is only known under a codename given to it by Microsoft researchers — PLATINUM.

Microsoft says it first spotted this group in 2009 and the group has historically targeted that region of the globe since its appearance.

PLATINUM is known for sophisticated hacks

PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year, in aprevious Microsoft report, the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Security researchers have talked about how crooks could use hotpatching to install malware in the past [1, 2], so Microsoft wasn't extremely surprised that somebody finally used it in live attacks. On the other hand, using Intel AMT SOL is something that has never been seen before, and PLATINUM's malware is the first to use it.

This only strengthens Microsoft's theory that this group is made up of highly-trained and well-funded individuals, usually assembled as part of nation-state cyber-intelligence units.

Intel AMT SOL used because of its stealth features

Cyber-espionage groups, in general, are primarily interested in remaining hidden, so AMT SOL's firewall bypassing effect was the main reason the group decided to implement it.

Fortunately, Microsoft says it was able to identify clues in the malware's operation that would allow its Windows Defender ATP security product to detect it before it accesses and initiates the AMT SOL interface. This provides companies with a warning that they might have been infected with the group's malware.

When contacted by Microsoft, Intel said the PLATINUM group wasn't using any vulnerability in the Intel AMT SOL interface, but this was another classic case of bad guys using a technology developed for legitimate purposes to do bad things.

Details about PLATINUM's targets and attacks are available in a report Microsoft released yesterday.

 

Source

Link to comment
Share on other sites

This is not near as bad as what happened last month with AMT.

http://thehackernews.com/2017/05/intel-server-chipsets.html

Anybody with half a brain would disable AMT  and be done with it.

https://github.com/bartblaze/Disable-Intel-AMT

 

Link to comment
Share on other sites

6 minutes ago, 0bin said:

Those one without the vPro are safe?

It runs on some non VPro  systems  as well

Quote

 

If you see any of these stickers or badges on your laptop, notebook or desktop, you are likely affected by this:

Additionally, Intel AMT does run on non-vPro based processors in some cases with reduced functionality, called Standard Manageability. The tool presented here does not differentiate between processor types. This means it can also disable AMT on your machine, regardless of processor.

 

 

Link to comment
Share on other sites

16 minutes ago, 0bin said:

It's good, I will execute on all my system, if not find what it has to disable he tells you in the log. I try this on all my other systems. ;) 

In the case of a laptop with Linux like Manjaro steven36 this vulnerability work too? 

 

 

All CPus have back doors  that were built after 2013

Quote

Unfortunately, the latest generation of AMD hardware (post-2013) has its own version of Intel ME called the AMD PSP (Platform Security Processor) which isn't any better:

 

 

All your computers are belong to us: the dystopian future of security is now

https://www.turnkeylinux.org/blog/all-your-computers-are-belong-to-us

Intel  just had back doors longer than AMD but they are now on the backdoor bandwagon too  My processor in this PC is from 2012 before AMD added back doors But I also have Intel PCs that's why i looked up how to disable that .

 

Link to comment
Share on other sites

5 hours ago, steven36 said:

Anybody with half a brain would disable AMT  and be done with it.

 

It is disabled by default, Intel ships the processors that way.  If you didn't enable it then there is no need to worry.  However, having said that, we ran checks on over 17,000 systems and not one of them had it enabled.  We checked because that is what security professionals get paid to do.  Always better safe than sorry.

 

Link to comment
Share on other sites

2 hours ago, straycat19 said:

 

It is disabled by default, Intel ships the processors that way.  If you didn't enable it then there is no need to worry. 

 

 

 

After I read up on it more it says home users dont have too worry

Quote

Consumer PCs with consumer firmware are not impacted by this vulnerability. If you are uncertain as to whether your system is vulnerable, or just want to be sure, please see our detection guide for tools and instructions, or contact Intel Customer Service.

 

 

businesses are the ones who need to worry

Quote

Intel® AMT and Intel® ISM are remote management tools typically used by system administrators at large organizations to manage large numbers of computers. Intel® SBT is a similar technology typically used by small and medium sized businesses with fewer devices to manage. All of these systems incorporate Intel manageability firmware.

 

 

2 hours ago, straycat19 said:

We checked because that is what security professionals get paid to do.  Always better safe than sorry.

 

You should done did Firmware updates by now as well ? Disable AMT tool came out before they released updates or ether you're PCs are so old  it dont  get any updates and you would have too use the tool.

 

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

About the Intel manageability firmware critical vulnerability

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

I have not even had  my Intel PC  on in many months I'm lazy when comes to switching PCs and  because i can only use one at a time and i already have 3 OS  on this one  PC ( Windows 8.1 , Ubuntu Budgie 17.04 and Linux Mint 18.2 ) :)

 

When ever i  turn my Intel pc on i always check Dell too see do i have any updates  for anything that i  have installed witch is just Firmware and there WiFi  updates.  I clean installed it and got rid of all the bloatware . My Windows 7 PC  Ive not used  it much at all in years it's also a Intel  .

Link to comment
Share on other sites

Quote

 

theossuary 1 day ago

 

Extensions like AMT do need to be manually enabled, but ME itself is always running a big old pile of encrypted code that we'll never get to look at, and yes there's a better than even chance there are exploits in that code only nation states could find (hopefully anyway).

 

 

Quote

 

Eddie Barcellos says:

All AMD CPUs after FX have PSP, which is pretty much the same thing as Intel ME. It also can’t be removed/disabled.

 

 

 
 
Quote

 

  HappyTypist 1 day ago


Yes, AMD chips have almost exactly the same features as Intel ME.

The cynic in me thinks that some execs got FISA orders.

 

 

All hardware post 2013 after AMD FX  have potential backdoors by state hackers  Intel  Post 2005 have potential backdoors and  are being exposed but this is just Malware being found in the AMT used by black hats. State hackers most likely got much better backdoors now. NSA most likely used AMT back in 2006  when Intel ME was new  . :)

 

Petition for AMD to open-source the PSP (backdoor) in their chips. AMD are considering it

https://www.change.org/p/advanced-micro-devices-amd-release-the-source-code-for-the-secure-processor-psp

 

The Internet itself belong to the US government up tell Clinton signed the bills to let the some in the UK build the WWW and make it public domain. It was never built with privacy in mind and If  AMD dont  opensource PSP it just shows there no different   than Intel  and are in bed with the government . It wouldn't shock me if they didn't work with the Government already and that's the reason these backdoors exist.

 

This malware is being spread trough serial ports that were invented and were on PCs before Intel ME even existed  and now hackers figure a way to use it trough Intel ME something really stinks about it . Only reason these serial ports are even needed is so people can use 15 year old  devices with it all of this was replaced by USB now.  :P

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...