Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls (bleepingcomputer.com)

Posted by msmash on Thursday June 8, 2017 @08:10AM from the security-woes dept.

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

5 of 128 comments (clear)

Min score:

Reason:

Sort:

One more time, my friends! by H3lldr0p · 2017-06-08 08:17 · Score: 5, Insightful

This is exactly what was said was going to happen when it came to light that Intel was sticking extra shit to motherboards no one was asking for. And at the time, Intel said no one would be capable of getting to it. Guess what?
So tired of this crap.
1. Re:One more time, my friends! by Train0987 · 2017-06-08 08:36 · Score: 5, Insightful
  
  You're assuming AMT doesn't exist as a back door mechanism for state actors in the first place.
2. Re:One more time, my friends! by vtcodger · 2017-06-08 11:11 · Score: 4, Insightful
  
  "This has nothing to do with any of the complaints over IME since this functionality is completely within the user's control."
  As I read it, ME is sort of like the Hotel California. You can turn it off any time you wish. But it's still there and running. (Where is it getting it's power from?)
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Good selection by erapert · 2017-06-08 08:18 · Score: 5, Insightful

Workstation class machines are the ones that usually have the ME installed and enabled and these machines are also the most likely to have juicy information on them compared to sally-sue's facebook machine.

Also, Stallman was right all along.
Re:AMD for the win! AMD for the max pci-e in each by erapert · 2017-06-08 08:33 · Score: 4, Insightful

AMD has one too. They call theirs the "platform security processor".