Recently leaked communications from within the notorious Conti ransomware group have exposed a new strategy to exploit firmware and gain complete control over a system. Unlike previous threats that directly target weaknesses in UEFI/BIOS, attackers are now attempting to go through a figurative side door by exploiting weaknesses in the Intel Management Engine, a critical part of the chipset with direct access to the same chip housing the code that boots a computer. To add fuel to the fire, many organizations do not update the chipset firmware with the same regularity that they do for other software. As a result, this shift to targeting out-of-date chipset firmware is a major development in the evolution of firmware threats that greatly expands the number of devices that are susceptible to a firmware attack.
We encourage organizations to evaluate their devices for vulnerable chipset firmware, apply updates as soon as reasonably possible, and monitor both the chipset and system firmware for any unexpected changes. This is important because no new or unmitigated vulnerabilities have been identified. Attackers are exploiting known vulnerabilities that have been addressed with updates.
About Intel ME and AMT:
As defined by Intel, the Intel® Management Engine (ME) is “an embedded microcontroller (integrated on some Intel chipsets) running a lightweight microkernel operating system that provides a variety of features and services for Intel® processor–based computer systems” including out-of-band management services. These remote management capabilities enabled by the ME are known as Intel Active Management Technology (AMT). Thus the ME is the physical controller and AMT is one of the services provided by the ME.
The ME portion of the chipset is conceptually similar to the baseboard management controllers (BMCs) used for out-of-band management of enterprise servers. In addition to having its own kernel, ME has access to its own flash memory stored in the SPI (which also contains the UEFI/BIOS), a dedicated connection to the network interface, and has power that is independent of the operating system. These capabilities allow “the Intel® Management Engine to be up before the main operating system is started,” and to “respond to OOB commands from the IT management console without having to wake up the rest of the system.” And while ME/CSME are conceptually similar to a BMC, it is important to note that these components are integrated into a very wide range of devices, enabling attacks that would be far more scalable and generic than BMC attacks.
What the Findings Mean for Organizational Risk
As with any new threat, it is important to understand the real-world risks posed to an organization and its assets. The Conti leaks targeting the chipset are significant for several reasons:
Increased Attack Surface
Previous firmware threats such as TrickBoot, MosaicRegressor, and LoJax looked for devices in which the BIOS of the device were not properly write-protected. This is probably the most basic and well-known weakness of firmware and is often addressed by security teams.
Focusing on weaknesses in the chipset greatly expands the number of potential targets available to adversaries. Our research identified 47 high-impact vulnerabilities that could allow attackers to gain control over the chipset including via remote code execution over a network. This list also included vulnerabilities that can be exploited via traditional threat vectors such as phishing, malware, social engineering, or supply chain compromise.
As previously mentioned, chipset firmware is often not updated, making many of these vulnerabilities very common. Our analysis found that as many as 72.3% of devices in real-world deployments had a chipset vulnerability that enabled privilege escalation over a network.
Very High Impact
With control over the chipset, attackers have multiple ways to then gain control over the UEFI/BIOS or runtime execution of the host processor. Details of these techniques are available in the companion research paper [LINK].
Compromise of system firmware represents one of the highest possible impact events to a system. This can include:
- Destruction – Permanently disable or “brick” the device and destroy data
- Persistence – Install malicious firmware that can persist even after the OS is completely reinstalled.
- Evasion – Control over the firmware can allow attackers to evade AV/EDR tools that rely on the operating system as well as built-in protections such as BitLocker, Windows Virtual Secure Mode (VSM), and others.
While these techniques have not been observed in the wild, leaks indicate that attackers had already developed working proof-of-concept code more than nine months ago. While the group has reportedly disbanded under the name Conti, it is important to note that all of the developers, operators, tools, and techniques can easily be absorbed into new operations. The fact that these techniques were already being operationalized by one of the most active adversary groups in the world strongly raises the likelihood that attacks will be seen in real-world attacks.
What Organizations Should Do Today
Based on our analysis, we recommend that organizations take the following steps to better protect their systems and assets:
- Scan Devices for Exploitable Versions of Intel ME Firmware – Our research provides a list of the known CVEs most likely to be used in an attack. Device scans should include CVEs as well as detecting weak configurations that give the chipset access to the BIOS. Organizations should use a tool that specializes in firmware vulnerabilities (e.g. CHIPSEC, Eclypsium), as many traditional vulnerability scanners lack the necessary drivers and access to scan down to this level.
- Monitor the Chipset for Any Configuration Changes – Organizations should check to verify that the Intel ME firmware has the approved and expected configuration. Attackers such as the PLATINUM group have used chipset capabilities in the past to hide command-and-control from OS-level security controls. Ideally, organizations should verify this information using mechanisms that are independent of the operating system.
- Verify the Integrity of the SPI Flash and Monitor for Any Changes – The specific attack described by Conti researchers would leverage vulnerabilities in the chipset in order to target UEFI/BIOS. Therefore, the same integrity checking and monitoring should be applied to the SPI flash firmware as well as the UEFI/BIOS of the device. Once again, firmware should match known good versions, and teams should be alerted to any changes particularly tied to anomalous or unreleased code.
You can read the detailed Eclypsium research here. This post summarizes the most important takeaways and the measures organizations should consider in order to protect themselves.