Sneaky Hackers Use Intel Management Tools to Bypass Windows Firewall
Serial ports don’t have firewalls.
Peter Bright | June 9, 2017
Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.
The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM’s technique leverages Intel’s Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.
…
It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what’s on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.
But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself.
…
Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM’s malware can move files between machines on the network while being largely undetectable to those machines.
…
AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. … However, that’s not what PLATINUM is doing: the group’s malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn’t exploiting any flaw in AMT.
…
Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place… While this novel use of AMT is useful for transferring files while evading firewalls, it’s not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones.
Read the full article on arstechnica.com
