There have been plenty of examples of hackers coming up with new ways to either swindle victims out of their money and data, or simply infect their systems with some nasty malware by simply hovering on links. What is perhaps less common is the use of a piece of software to get to the same devious results, not through an exploit, but rather the actual way the program was intended to function.
According to Microsoft, a group by the name of PLATINUM has made use of Intel's Active Management Technology (AMT) - available on Intel's vPro processors and chipsets - to simply bypass the Windows Firewall entirely. Essentially, the group has a file transfer tool, which at its core uses the Serial-over-LAN (SOL) channel from within AMT for communication purposes. Since this channel is independent of the operating system, it allows for any communication through it to be " invisible to firewall and network monitoring applications running on the host device."
What needs to be said is that SOL, which "exposes a virtual serial device with a chipset-provided channel over TCP" is not enabled by default, and requires administrative privileges to actually run on the target workstations. Since the provisioning of such a channel is bound by the use of user credentials - username and password - the Redmond giant speculates that PLATINUM "might have obtained compromised credentials from victim networks".
The reason why AMT needs such low-level access has a lot to do with its actual function. The technology allows someone to remotely install operating systems on machines that don't have any, allows for the power cycling of devices, and thus provides a so-called "IP-based KVM solution" - where KVM is for keyboard, video and mouse - to accomplish the aforementioned tasks.
Regarding PLATINUM's actual use of the technology, Microsoft said:
We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.
Regarding the more technical side of the hacker group's implementation, Microsoft goes on to say that:
The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK’s Redirection Library API (imrsdk.dll). Data transactions are performed by the calls IMR_SOLSendText()/IMR_SOLReceiveText(), which are analogous to networking send() and recv() calls. The SOL protocol used is identical to the TCP protocol other than the addition of a variable-length header on the data for error detection. Also, the updated client sends an unencrypted packet with the content “007″ before authentication.
The software giant has even provided a demo video showcasing how this is used:
There is some good news in all of this though, as computers making use of the Windows Defender ATP (Advanced Threat Protection) service - running Windows 10 version 1607 or later and Configuration Manager 1610 or later - can rest assured. The service is able to not only detect a "targeted attack activity" similar to PLATINUM's, but it can also "differentiate between legitimate usage of AMT SOL and targeted attacks attempting to use it as a communication channel."
Microsoft says that to its knowledge, this is the first malware sample to "misuse chipset features" in such a way, reiterating that PLATINUM's tool does not expose flaws within AMT, rather that it evades security monitoring tools by using the technology within an already compromised network.
Source: Microsoft via Ars Techinca
22 Comments - Add comment