Saturday, February 4, 2023
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory
  • Login
  • Register
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
No Result
View All Result

Home > Cybersecurity > Conti is targeting Intel firmware

Conti is targeting Intel firmware

Eclypsium announced that Conti ransomware gang is developing firmware hacks targeting Intel’s Management Engine.


Erdem Yasar Erdem Yasar
June 3, 2022
3 min read
Conti is targeting Intel firmware

Although it looks like Conti operations are stopped, the members of the gang are joining different operations to continue attacks. According to Eclypsium, an individual started leaking information from the Conti ransomware group. The leaks confirm the connections between Conti and the Russian FSB.

Targeting Intel Management Engine

The leaks also show that the gang is focusing on firmware-based attacks. Attackers are now targetting Intel Management Engine or Intel Converged Security Management Engine instead of classical attacks that target UEFI/BIOS directly. ME is a physical microcontroller and a part of the chipset. There are several different variations of this component, such as Management Engine, Intel Converged Security and Management Engine, and Intel Trusted Execution Environment. There is also an alternate firmware family used in servers, Server Platform Services.

According to the leaked information, Conti is using the unique privileges of the ME firmware as a way to gain indirect access to the UEFI/BIOS. It allows attackers to drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode. It can cause irreparable damage to a system or establish ongoing persistence that is invisible to the operating system.

Conti group claims that they already had developed proof-of-concept code for these methods nine months ago. Eclypsium shared its insight into ME firmware to help organizations. Analysis includes:

  • Chipset Vulnerabilities – While it is known that these adversaries are actively analyzing the ME for new vulnerabilities, we wanted to identify the known vulnerabilities that attackers could use so that organizations can reduce their firmware attack surface.
  • Attack Flow and Scenarios – We show different attack scenarios based on the low-level settings and protections set on a system, including in cases where the BIOS is properly write-protected.
  • Attacker Objectives and Impact Analysis – Review of how attackers can use the ME and system firmware to achieve the greatest possible damage and impact to target organizations.
  • Mitigations and Best Practices – Key steps that organizations should be taking today to defend their devices from these and similar threats.

When considering how a real-world attack would take place, there are several aspects Eclypsium has detected.

  1. Attacker gains access to a target host – This can be done via any number of common methods (either local or remote), whether via spear-phishing, exploiting a common OS or application vulnerability, an insider, or during any phase of the distribution, warehousing, or delivery phase of the device’s supply chain lifecycle.
  2. Attacker gains control over ME – This would be done either by a new 0-day vulnerability or via known vulnerabilities that provide remote code execution (RCE) and privilege escalation (PE). Because some of the ME vulnerabilities can be exploited remotely, this can make the previous step optional and an attacker can directly gain control of the ME without first exploiting a vulnerability in the host side of the platform.
  3. Use ME to rewrite UEFI/BIOS or gain SMM Execution – The ME firmware is inside the UEFI Trusted Computing Base (TCB), which opens the potential for an attacker to infect the UEFI from the ME. Attackers just need to bypass SPI Descriptor and BIOS Control register protections. We will look at multiple scenarios showing how this would work in a real attack. 

Eclypsium also stated,

« The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks. Threats such as TrickBoot, MosaicRegressor, and dozens of new forms of wiper malware have continued to drive attacks below the level of the operating system. However, the Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools. The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems. 

As the realities of the threat landscape continue to evolve, it is critical that organizations continue to inform their defenses based on the latest intelligence available. The Eclypsium team will continue to strive to provide updated insight and guidance into these and other firmware threats as they become available. »

See more Cybersecurity News


Tags: Intel
Erdem Yasar

Erdem Yasar

Erdem Yasar is a news editor at Cloud7 News. Erdem started his career by writing video game reviews in 2007 for PC World magazine while he was studying computer engineering. In the following years, he focused on software development with various programming languages. After his graduation, he continued to work as an editor for several major tech-related websites and magazines. During the 2010s, Erdem Yasar shifted his focus to cloud computing, hosting, and data centers as they were becoming more popular topics in the tech industry. Erdem Yasar also worked with various industry-leading tech companies as a content creator by writing blog posts and other articles. Prior to his role at Cloud7 News, Erdem was the managing editor of T3 Magazine.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Next Post
cloudflare logo

Cloudflare Login: Dashboard & Contact Support

Related News

LockBit encryptor source code is updated

LockBit encryptor source code is updated

February 3, 2023 4:40 pm
Fortinet is expanding its SOC offerings portfolio

Fortinet is expanding its SOC offerings portfolio

February 3, 2023 2:00 pm
Radware announces a new partner program

Radware announces a new partner program

February 3, 2023 1:30 pm
APTs are looking for developers to hire with hefty paychecks

APTs are looking for developers to hire with hefty paychecks

February 1, 2023 2:30 pm
Get free daily newsletters from Cloud7 News Get the Cloud7 Newsletter
Select list(s):

Check your inbox or spam folder to confirm your subscription.

By subscribing, you agree to our
Copyright Policy and Privacy Policy

Get the free newsletter

Subscribe to receive the latest IT business updates straight to your inbox.

Select list(s):

Check your inbox or spam folder to confirm your subscription.

Editor's Choice

What’s new in Linux kernel 6.2 rc6?

10 Best Web Hosting Services of 2023

Ubuntu 22.04 LTS is available for download. What is new?

CERN and Fermilab recommend AlmaLinux

7 best hosting control panels of 2023

How to update Linux Kernel without rebooting?

7 best Linux mail servers of 2023

7 best cPanel alternatives for 2023

7 best Linux web browsers for 2023

7 best CentOS alternatives

7 best Linux server distros of 2023

Interview with Igor Seletskiy on AlmaLinux

How to create a VM on VMware Workstation

Recent News

  • LockBit encryptor source code is updated
  • LibreOffice 7.5 Community is released. What’s new?
  • NTT to add Palo Alto Networks’ solution to its portfolio
  • Gcore announces partnership with Super Protocol
  • Fortinet is expanding its SOC offerings portfolio

Cloud7 News
Cloud7 is a news source that publishes the latest news, reviews, comparisons, opinions, and exclusive interviews to help tech users of high-experience levels in the IT industry.

EXPLORE

  • Web Hosting
  • Cloud Computing
  • Data Center
  • Cybersecurity
  • Linux
  • Network/Internet
  • Software
  • Hardware
  • How-Tos
  • Troubleshooting

RESOURCES

  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

Get the Cloud7 Newsletter

Get FREE daily newsletters from Cloud7 delivering the latest news and reviews.

  • About
  • Privacy & Policy
  • Copyright Policy
  • Contact

© 2023, Cloud7 News. All rights reserved.

No Result
View All Result
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

© 2023, Cloud7 News. All rights reserved.

Welcome Back!

Sign In with Facebook
Sign In with Google
Sign In with Linked In
OR

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Sign Up with Facebook
Sign Up with Google
Sign Up with Linked In
OR

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.