• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 3rd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News
Microsoft

A Malware That can Bypass Windows Firewall Using Intel’s Management Tech

June 9th, 2017 Jahanzaib Hassan Security, Malware, Microsoft, Technology News 0 comments
A Malware That can Bypass Windows Firewall Using Intel’s Management Tech
Share on FacebookShare on Twitter

A unique and perhaps a very practical way of injecting malware into an entire network has been discovered in which the hacking group uses Intel’s Active Management Technology (AMT) to bypass Windows’ built-in firewall and as such go undetected.

The Active Management Technology (AMT)

Active Management Technology (AMT) is a technology that allows remote access to networks or computers allowing administrators to easily install things like an operating system on a remote computer.

Apart from this, it has other uses that allow a user to take control of a machine remotely while using input devices such as the mouse and keyboard to operate the computer.

Although this seems to be a very useful application of the AMT, it has, however, been compromised by a hacking group called PLATINUM which has somehow figured out how to use AMT’s low-level firmware for all sorts unscrupulous acts. 

According to Microsoft’s blog post:

“Upon discovery of this unique file-transfer tool, Microsoft shared information with Intel, and the two companies collaborated to analyze and better understand the purpose and implementation of the tool. We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.”

“The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations. The diagram below represents the file-transfer tool’s updated channel and network flow.”

[irp posts=”54078″ name=”‘Fireball’ Malware Infected 250 Million Mac and Windows Devices”]

The PLATINUM technique

As mentioned earlier, the AMT firmware runs at low-level so as to allow remote access to networks. However, this low-level operation can be hazardous as it can allow an attacker to inject and connect to malware without being detected.

Essentially, whatever traffic that goes through the AMT is handled from within. That is, the AMT itself controls the traffic. Given that the traffic can contain malicious viruses and that AMT is running on low-level, the traffic can easily bypass Windows’ firewall.

This is because the traffic never gets out and hence does not get filtered through Windows firewall to be detected for any inconsistency. However, the PLATINUM group uses the AMTs virtual serial port through which it can connect to the malware and hence link itself with the entire network.

Combining all this, the technique involves using serial-over-LAN traffic to send the malware and connect it to the network using the serial port without being detected.

Is there a potential flaw in AMT?

Microsoft says that although attackers can exploit machines through AMT, it, however, does not mean that the technology is flawed. It is simply the way that it is designed which allows attackers to take undue advantage.

Furthermore, experts say that AMT has to be enabled to connect to the remote network. As such, if AMT is switched off, there is no way that attackers can exploit it. However, this is a debated issue as some experts say that it might be the malware itself that enables AMT automatically.

In any case, Microsoft believes that its Windows Defender Advanced Threat Protection technology is enough to detect such malicious traffic. The only concern is that it is undetectable by something that most systems rely on for security.

Here’s a demo shared by Microsoft showing how the malware works

[irp posts=”53924″ name=”The good old NTFS bug in Windows strikes back but with a different name”]


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

  • Tags
  • Cyber Crime
  • hacking
  • Intel
  • internet
  • Malware
  • Microsoft
  • security
  • Windows
Facebook Twitter LinkedIn Pinterest
Previous article Android Malware with Code Injecting Capability Found on Google Play Store
Next article WannaCry Copycat 'WannaLocker' Ransomware Hits Android Devices
Jahanzaib Hassan

Jahanzaib Hassan

Related Posts
Gootloader exploits websites via SEO to spread ransomware, trojans

Gootloader exploits websites via SEO to spread ransomware, trojans

Authentication bypass vulnerability found in NATO, EU approved firewall

Authentication bypass vulnerability found in NATO, EU approved firewall

Data analytics firm Polecat data breach - 30TB of data exposed

Data analytics firm Polecat data breach - 30TB of data exposed

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Gootloader exploits websites via SEO to spread ransomware, trojans
Security

Gootloader exploits websites via SEO to spread ransomware, trojans

Authentication bypass vulnerability found in NATO, EU approved firewall
Security

Authentication bypass vulnerability found in NATO, EU approved firewall

Data analytics firm Polecat data breach - 30TB of data exposed
Leaks

Data analytics firm Polecat data breach - 30TB of data exposed

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us