A unique and perhaps a very practical way of injecting malware into an entire network has been discovered in which the hacking group uses Intel’s Active Management Technology (AMT) to bypass Windows’ built-in firewall and as such go undetected.
The Active Management Technology (AMT)
Active Management Technology (AMT) is a technology that allows remote access to networks or computers allowing administrators to easily install things like an operating system on a remote computer.
Apart from this, it has other uses that allow a user to take control of a machine remotely while using input devices such as the mouse and keyboard to operate the computer.
Although this seems to be a very useful application of the AMT, it has, however, been compromised by a hacking group called PLATINUM which has somehow figured out how to use AMT’s low-level firmware for all sorts unscrupulous acts.
According to Microsoft’s blog post:
“Upon discovery of this unique file-transfer tool, Microsoft shared information with Intel, and the two companies collaborated to analyze and better understand the purpose and implementation of the tool. We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.”
“The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations. The diagram below represents the file-transfer tool’s updated channel and network flow.”
[irp posts=”54078″ name=”‘Fireball’ Malware Infected 250 Million Mac and Windows Devices”]
The PLATINUM technique
As mentioned earlier, the AMT firmware runs at low-level so as to allow remote access to networks. However, this low-level operation can be hazardous as it can allow an attacker to inject and connect to malware without being detected.
Essentially, whatever traffic that goes through the AMT is handled from within. That is, the AMT itself controls the traffic. Given that the traffic can contain malicious viruses and that AMT is running on low-level, the traffic can easily bypass Windows’ firewall.
This is because the traffic never gets out and hence does not get filtered through Windows firewall to be detected for any inconsistency. However, the PLATINUM group uses the AMTs virtual serial port through which it can connect to the malware and hence link itself with the entire network.
Combining all this, the technique involves using serial-over-LAN traffic to send the malware and connect it to the network using the serial port without being detected.
Is there a potential flaw in AMT?
Microsoft says that although attackers can exploit machines through AMT, it, however, does not mean that the technology is flawed. It is simply the way that it is designed which allows attackers to take undue advantage.
Furthermore, experts say that AMT has to be enabled to connect to the remote network. As such, if AMT is switched off, there is no way that attackers can exploit it. However, this is a debated issue as some experts say that it might be the malware itself that enables AMT automatically.
In any case, Microsoft believes that its Windows Defender Advanced Threat Protection technology is enough to detect such malicious traffic. The only concern is that it is undetectable by something that most systems rely on for security.
Here’s a demo shared by Microsoft showing how the malware works
[irp posts=”53924″ name=”The good old NTFS bug in Windows strikes back but with a different name”]
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.