Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

17 of 128 comments (clear)

  1. One more time, my friends! by H3lldr0p · · Score: 5, Insightful

    This is exactly what was said was going to happen when it came to light that Intel was sticking extra shit to motherboards no one was asking for. And at the time, Intel said no one would be capable of getting to it. Guess what?

    So tired of this crap.

    1. Re:One more time, my friends! by Train0987 · · Score: 5, Insightful

      You're assuming AMT doesn't exist as a back door mechanism for state actors in the first place.

    2. Re:One more time, my friends! by vtcodger · · Score: 4, Insightful

      "This has nothing to do with any of the complaints over IME since this functionality is completely within the user's control."

      As I read it, ME is sort of like the Hotel California. You can turn it off any time you wish. But it's still there and running. (Where is it getting it's power from?)

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    3. Re:One more time, my friends! by Z80a · · Score: 2

      It's not a feature if you can't control it.

  2. Good selection by erapert · · Score: 5, Insightful

    Workstation class machines are the ones that usually have the ME installed and enabled and these machines are also the most likely to have juicy information on them compared to sally-sue's facebook machine.

    Also, Stallman was right all along.

    1. Re:Good selection by myrdos2 · · Score: 3, Interesting

      Also, Stallman was right all along.

      He usually is: Intel's chips contain a security hazard

      As I recall, Intel came out with a rebuttal that went something like: "It's perfectly secure and a standard computer management feature, you bunch of dunces." I hope they like that crow they're eating.

    2. Re:Good selection by cfalcon · · Score: 4, Informative

      > You can turn the feature off

      You can't, though. In fact, if you actually remove the ME code, the Intel chip enters a halt state after 30 minutes. AMD is worse: the cores are held in reset until released by the PSP.

      Your pedantry relies on the fact that you can disable the particular feature that a vulnerability was discovered in. But that doesn't solve the problem, because there's still all that spooky code running in an unauditable way. This is at least the THIRD ME vuln in the last year or so.

      > Everybody who knew said all along that if you add enterprise-level management software, it becomes an attack vector

      Why is the ME present on every machine, no matter how small? Why is it in every laptop, desktop, tower, workstation, and server? Why all that ubiquity, if the only people who could ever make use of it are enterprise guys who pay for support and have a conformant BIOS and MOBO and turn it on? WHY IS IT EVERYWHERE????

    3. Re:Good selection by networkBoy · · Score: 3, Interesting

      Why is the ME present on every machine, no matter how small? Why is it in every laptop, desktop, tower, workstation, and server? Why all that ubiquity, if the only people who could ever make use of it are enterprise guys who pay for support and have a conformant BIOS and MOBO and turn it on? WHY IS IT EVERYWHERE????

      You really want to know why?
      Efficiency of development.
      AMT and it's components are where all the vulns have been found (so far).

      ME is a kernel that these other applications run on.
      Among other applications that run on the ME kernel (and that were formerly separate firmware processes on separate chips [thus higher hardware and maintenance costs]):
      PMC (power management controller, the ability to suspend and hibernate)
      PECI (CPU thermal management, keep you from smoking your i7 when the FAN dies)
      PMX (reset controller)
      PowerGate (lower power consumption on NOPs)
      QST (Fan controller, so your fans aren't always at max RPM)
      SmBus (DIMM timings and battery monitoring, along with other system health info)

      I'm sure there's more, but I simply no longer remember everything stuffed in the CSME.

      Long and short of it is:
      ME is the SystemD of chipsets. It's a lot easier to use common code and a common hardware to do all these things than it is to maintain each one separately. I wouldn't expect it to change anytime soon either, but an easy mitigation would be removing any world facing interface from the ME connected systems (E.g. AMT).

      If you're really worried about it get a "Min SKU" part. these only have what's needed for the machine to actually boor and run safely, none of the "value added" stuff, and if you're extra paranoid never use the on-board LAN (port 16992 BTW if you want to talk to AMT).

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  3. AMT by sexconker · · Score: 2

    Fuck AMT (and AMD's PSP).

    They have almost zero real world benefit, and are just absurdly dangerous.

  4. Obligatory:Intel CPU Backdoor Report (May 5 2017) by Anonymous Coward · · Score: 5, Informative

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    [Quotes] Vortrag:
    "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

    "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

    "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Useful links:
    The Intel ME subsystem can take over your machine, can't be audited
    REcon 2014 - Intel Management Engine Secrets
    Untrusting the CPU (33c3)
    Towards (reasonably) trustworthy x86 laptops
    30C3 To Protect And Infect - The militarization of the Internet
    30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

    1. Introduction, what is Intel ME

    Short version, from Intel staff:

    Re: What Intel CPUs lack Intel ME secondary processor?
    Amy_Intel Feb 8, 2016 9:27 AM

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked wit

  5. Obligatory:Intel CPU Backdoor Report (May 5 2017) by Anonymous Coward · · Score: 5, Informative

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    [Quotes] Vortrag:
    "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

    "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

    "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Useful links:
    The Intel ME subsystem can take over your machine, can't be audited
    REcon 2014 - Intel Management Engine Secrets
    Untrusting the CPU (33c3)
    Towards (reasonably) trustworthy x86 laptops
    30C3 To Protect And Infect - The militarization of the Internet
    30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

    1. Introduction, what is Intel ME

    Short version, from Intel staff:

    Re: What Intel CPUs lack Intel ME secondary processor?
    Amy_Intel Feb 8, 2016 9:27 AM

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked wit

  6. Wonder who that could be by virve · · Score: 4, Funny

    Interest in countries around South China Sea? It was probably East Timor.

  7. Re:AMD for the win! AMD for the max pci-e in each by erapert · · Score: 4, Insightful

    AMD has one too. They call theirs the "platform security processor".

  8. Re:And this is the problem... by rjmx · · Score: 5, Funny

    You're talking about systemd, aren't you?

  9. In any other industry by Dunbal · · Score: 4, Interesting

    When can we expect a recall from Intel?

    --
    Seven puppies were harmed during the making of this post.
  10. Only onboard devices? by Trogre · · Score: 4, Interesting

    Is it correct that the AMT is fully dependent on the onboard Ethernet, WiFi and 3G chips for communication?

    If so, would simply not using those chips be a suitable workaround? If so, I foresee a strong market for PCIe ethernet cards, particularly ones that don't depend on Intel drivers.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    1. Re: Only onboard devices? by Anonymous Coward · · Score: 4, Informative

      You would think so wouldn't you.
      On our server there are three settings on Intel ME:
      1. Enabled
      2. Disabled
      3. Permanently Disabled

      AMT port still remains open regardless of what you set it to.