The analysis of Conti group’s chats, which were leaked earlier this year, revealed that the ransomware gang has been working on firmware attack techniques.
An attack against firmware could give threat actors significant powers, they are hard to detect and could be very destructive, and attackers can use them to achieve long-term strategic goals.
Researchers from firmware and hardware security firm Eclypsium discovered that the Conti ransomware gang was working on attacks targeting both UEFI/BIOS and the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME).
The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.
For this reason, security experts warned in the past of the risks of Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.
“Compromising the Management Engine of a system would have considerable value on its own, but the leaks show that the group is using the unique privileges of the ME firmware as a way to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode (SMM).” reads the post published by Eclypsium. “Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system.”
Leaked chat revealed that the group had already developed a proof-of-concept code for such kind of attacks at least nine months ago.
Experts believe that the firmware attack techniques devised by the group will used in the wild in the near future.
Eclypsium researchers discovered that the Conti gang was focusing research in the following areas.
Below is an excerpt from the Conti’s chat that also mentions the proof-of-concept (POC) code.
The chat confirms that the group was able to develop a PoC code that uses vulnerabilities in the ME interface to rewrite SPI flash memory and gain SMM execution allowing to drop System Management Mode (SMM) level implants
“By shifting focus to Intel ME as well as targeting devices in which the BIOS is write protected, attackers could easily find far more available target devices,” the researchers said.
“The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks. Threats such as TrickBoot, MosaicRegressor, and dozens of new forms of wiper malware have continued to drive attacks below the level of the operating system. However, the Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools.” concludes the report. “The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems. “
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
(SecurityAffairs – hacking, firmware)