Devious attackers exploit Intel management tools to elude Windows firewall

According to the report of Bleepingcomputer.com Microsoft threat detection team has exposed a group of sophisticated hackers, called PLATINUM, that abuses Intel’s Active Management Technology (AMT) to circumvent Windows firewall detection.

AMT is a powerful technology that is in-built in Intel’s network processors and chipsets to assist users carry out remote management activities. AMT has a useful feature called Serial-over-LAN (SOL) that uncovers a virtual serial port, enabling communication to take place with an authentic management console. Intel AMT SOL operates in the Intel Management Engine (ME), which operates a solitary operating system executed on an entrenched processor found within Intel CPUs. Since this entrenched processor is different from the principal Intel processor, it can function even if the prime processor is switched off, enabling it to offer out-of-band (OOB) far-off management possibilities. Moreover, because Windows firewalls and other security tools are built to function within the primary operating system, they cannot identify when AMT SOL is sending and receiving unauthenticated data.

Whereas this feature seems precarious, Intel developed ME to allow organizations with an extensive network of hundreds of computers to easily manage them remotely. PLATINUM misused this feature by creating a malware that compromises AMT SOL’s normal way of exchanging data with the management console.

The AMT SOL communication capability is not activated by default, and necessitates administrator privileges before it can be deployed for usage. Therefore, PLATINUM could have devised a means of gaining administrative privileges on compromised devices before misusing the feature.Rather than data traversing the primary networking stack, where security tools could unmask this communication, illicit SOL traffic is made invincible by directing it to the AMT chipset and virtual serial port. As such, the malware can send files on a network while dodging blockage or detection.

Until this attack, Microsoft had not uncovered any malware capable of abusing AMT SOL tools to silently implant dangerous code into computer systems.

Continue reading

Comments are closed.