Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

Re:Good selection

[thegarbz]

Also, Stallman was right all along.

About what? About a feature which is controlable in the BIOS that offers power users a choice of network administration being a possible attack?

Oh you didn't realise this was something you could disable and has nothing to do with any hidden code did you?

Re:Good selection

[myrdos2]

Also, Stallman was right all along.

He usually is: Intel's chips contain a security hazard

As I recall, Intel came out with a rebuttal that went something like: "It's perfectly secure and a standard computer management feature, you bunch of dunces." I hope they like that crow they're eating.

In any other industry

[Dunbal]

When can we expect a recall from Intel?

Only onboard devices?

[Trogre]

Is it correct that the AMT is fully dependent on the onboard Ethernet, WiFi and 3G chips for communication?

If so, would simply not using those chips be a suitable workaround? If so, I foresee a strong market for PCIe ethernet cards, particularly ones that don't depend on Intel drivers.

Re:Good selection

[networkBoy]

Why is the ME present on every machine, no matter how small? Why is it in every laptop, desktop, tower, workstation, and server? Why all that ubiquity, if the only people who could ever make use of it are enterprise guys who pay for support and have a conformant BIOS and MOBO and turn it on? WHY IS IT EVERYWHERE????

You really want to know why?
Efficiency of development.
AMT and it's components are where all the vulns have been found (so far).

ME is a kernel that these other applications run on.
Among other applications that run on the ME kernel (and that were formerly separate firmware processes on separate chips [thus higher hardware and maintenance costs]):
PMC (power management controller, the ability to suspend and hibernate)
PECI (CPU thermal management, keep you from smoking your i7 when the FAN dies)
PMX (reset controller)
PowerGate (lower power consumption on NOPs)
QST (Fan controller, so your fans aren't always at max RPM)
SmBus (DIMM timings and battery monitoring, along with other system health info)

I'm sure there's more, but I simply no longer remember everything stuffed in the CSME.

Long and short of it is:
ME is the SystemD of chipsets. It's a lot easier to use common code and a common hardware to do all these things than it is to maintain each one separately. I wouldn't expect it to change anytime soon either, but an easy mitigation would be removing any world facing interface from the ME connected systems (E.g. AMT).

If you're really worried about it get a "Min SKU" part. these only have what's needed for the machine to actually boor and run safely, none of the "value added" stuff, and if you're extra paranoid never use the on-board LAN (port 16992 BTW if you want to talk to AMT).