First Ever Data Stealing Malware Found Using Intel AMT Tool to Bypass Firewall
Really not hard for a well-funded state-sponsored hacking group to break into corporate sites and compromise systems with malware, but what’s challenging to them is to keep that back door and its communication undetectable from a firewall and other network monitoring applications.
However, a cyber-espionage group known as “Platinum, ” that is positively targeting governmental organizations, defense institutes, and telecommunication providers since at least 2009, finds a way to hide its malicious activities from host-based protection systems.
Microsoft has recently uncovered that the cyber-espionage group is now leveraging Intel’s Active Management Technology (AMT) Serial-over-LAN (SOL) channel as a file-transfer tool to steal data from the targeted computers without recognition.
Intel-based chipsets come with an embedded technology, called AMT, which is made to allow IT administrators to remotely manage and repair PCs, workstations, and servers of their organizations.
The Intel AMT technology works independently of the operating system and works even when the system is turned off, as long as the platform is linked to a range power and a network cable.
That means, when AMT is enabled, any packet sent to the PC’s wired network slot will be redirected to the Management Engine and passed on to AMT – the operating-system as well as network monitoring applications installed on a process, never knows what’s making the rounds.
Moreover, Linux systems with Intel’s chips and AMT enabled may also be exposed to Platinum’s malware.
“As this embedded processor chip is separate from the primary Intel processor, it can execute even when the key processor is power off and is, therefore, able to provide out-of-band (OOB) remote administration capacities such as remote power-cycling and keyboard, video, and mouse control (KVM), Microsoft said.
“Furthermore, as the SOL traffic bypasses the host networking collection, it cannot be blacklisted by firewall applications working on the host device. To permit SOL features, the device AMT must be provisioned. “
In contrast to the remote authentication vulnerability uncovered last month that enabled hackers to take over full control of a system by using AMT features without the need of any password, Platinum does not exploit any flaw in AMT, instead, requires AMT to be enabled on infected systems.
Microsoft notes that SQL session requires an accounts information, so either the hacking group is using stolen credentials to make its malware remotely connect with the C&C servers, or “during the provisioning process, PLATINUM could choose whichever account information they wish. ”
The Platinum hacking group has recently been using zero-day exploits, hot patching technique and other advanced tactics to permeate in their target systems and networks in South Asian countries, but this is the very first time someone is abusing legitimate management tools to avoid diagnosis.
Microsoft said they have already updated its own Windows Defender Advanced Threat Safety software that will notify network administrators of any malicious attempts at using AMT SQL but simply for systems running Windows operating-system.