Skip links

Conti spotted working on exploits for Intel Management Engine flaws

The notorious Conti ransomware gang has working proof-of-concept code to exploit low-level Intel firmware vulnerabilities, according to Eclypsium researchers.

Recently leaked Conti documents show the criminals developed the software more than nine months ago, and this is important because exploiting these kinds of weaknesses expands the extend and depth of an intrusion, the firmware security shop’s analysis noted.

Specifically, we’re told, Conti came up with code that targeted the Intel Management Engine (ME), a tiny hidden computer – with its own CPU, OS and software – within a processor chipset that runs independently from the main cores and provides various features including out-of-band management. The ME has total control over the box, so if you manage to compromise the ME, you’ll be able to persistently infect and affect the machine below the operating system and its defenses.

The leaks show that the gang was fuzzing the ME to find undocumented commands and vulnerabilities. As a side note: although Conti engineers were looking for new ME vulns, the Eclypsium researchers have published a list of known ME flaws (plus related Intel advisories and CVEs) that enable remote code execution or privilege escalation. So it would be wise to take a quick break from reading this and make those fixes now if you haven’t already.

A typical attack on the ME would work like this: either you get code execution on a victim’s machine via something like an email attachment that contains malware and exploit a vulnerable software interface with the engine; or you pull off some kind of remote-code execution exploit against the ME. It’s most likely a miscreant aiming for the ME will want to use it to turn an ordinary infection or compromise into a long-lasting, hard-to-detect one by drilling down into the ME after gaining code execution on a machine.

Once running at the ME level, an attacker can potentially tamper with the UEFI/BIOS firmware and/or run code in System Management Mode (SMM). SMM is a highly privileged environment, even more so than the ring-0 operating-system kernel. The OS can’t examine the SMM nor prevent it from executing code, so if an intruder manages to make it into that, they can spy on and alter the box as they want.

This type of firmware attack could lead to all kinds of damage, from bricking the system to wiping high-value files. It would also allow Conti, for instance, to maintain persistence on a system to access and steal sensitive data and deploy ransomware or other payloads at a later date. And because the crooks’ access sits below the OS, security tools such as antivirus or EDR don’t provide much protection.

While Eclypsium today noted that “no new or unmitigated vulnerabilities have been identified, and that Intel chipsets are no more or less vulnerable than any other code,” the problem remains that many organizations don’t update their chipset firmware as frequently as they do other software or UEFI/BIOS system firmware. 

“This can leave some of the most powerful and privileged code on a device susceptible to attack,” the researchers warned. Plus, because the PoC is nearly a year old at this point, “we expect that these techniques will be used in the wild in the near future if they haven’t already.” ®

Source