SoylentNews

"exec" writes:

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [HackerNews]

Time: 2017-06-09 10:15:22 UTC

Original URL: https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/ [bleepingcomputer.com] using ISO-8859-1 encoding.

Title: Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls

Arthur T Knackerbracket has found the following story [bleepingcomputer.com]:

Researcher Wants to Protect Whistleblowers Against Hidden Printer Dots

Game Studio Behind Witcher 3 Held for Ransom Over Stolen Files

Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls

Android Smartphones Targeted by WannaCry Lookalike

The Week in Ransomware - June 9th 2017 - Jaff, Spectre, and MacRansom

Jaff Ransomware switches to the .sVn Extension

Spectre Ransomware May Be Coming for you Soon

Tech Support Scammers Lose Their "Hard Earned" Money in FTC Settlements

Malwarebytes Anti-Malware for Mac

UCheck

BitKangarooDecrypter

VIPRE Advance Security for Home

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Remove the Winvmx client & Vmxclient.exe PUP (Removal Guide)

How to Remove Zaxar Games Browser

How to remove the QIPApp Adware

Remove the Current Language Translation Chrome Extension Chrome Extension

Remove Security Tool and SecurityTool (Uninstall Guide)

How to remove Antivirus 2009 (Uninstall Instructions)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

How to Start Windows 10 in Safe Mode with Networking

How to Remove a Google Chrome Extension

What are Google Chrome Extensions?

How to Open a Bookmark in Google Chrome

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

eLearning

IT Certification Courses

Gear + Gadgets

Security

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

In the ME component stack, AMT provides a remote management feature for Intel vPro processors and chipsets. The AMT SOL is a Serial-over-Lan interface for the Intel AMT remote management feature that exposes a virtual serial interface via TCP.

Because this AMT SOL interface runs inside Intel ME, it is separate from the normal operating system, where firewalls and security products are provisioned to work.

Furthermore, because it runs inside Intel ME, the AMT SOL interface will remain up and functional even if the PC is turned off, but the computer is still physically connected to the network, allowing the Intel ME engine to send or receive data via TCP.

The good news is that Intel AMT SOL comes disabled by default on all Intel CPUs, meaning the PC owner or the local systems administrator has to enable this feature by hand.

The bad news is that Microsoft discovered malware created by a cyber-espionage group that abuses the Intel AMT SOL interface to steal data from infected computers.

Microsoft can't say if these state-sponsored hackers found a secret way to enable this feature on infected hosts, or they just found it active and decided to use it.

The feature has been spotted with malware deployed against organizations and government agencies in South and Southeast Asia. The group that deployed this malware is only known under a codename given to it by Microsoft researchers — PLATINUM.

Microsoft says it first spotted this group in 2009 and the group has historically targeted that region of the globe since its appearance.

PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year, in a previous Microsoft report [microsoft.com], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Security researchers have talked about how crooks could use hotpatching to install malware in the past [1 [yumpu.com], 2 [blackhat.com]], so Microsoft wasn't extremely surprised that somebody finally used it in live attacks. On the other hand, using Intel AMT SOL is something that has never been seen before, and PLATINUM's malware is the first to use it.

This only strengthens Microsoft's theory that this group is made up of highly-trained and well-funded individuals, usually assembled as part of nation-state cyber-intelligence units.

Cyber-espionage groups, in general, are primarily interested in remaining hidden, so AMT SOL's firewall bypassing effect was the main reason the group decided to implement it.

Fortunately, Microsoft says it was able to identify clues in the malware's operation that would allow its Windows Defender ATP security product to detect it before it accesses and initiates the AMT SOL interface. This provides companies with a warning that they might have been infected with the group's malware.

When contacted by Microsoft, Intel said the PLATINUM group wasn't using any vulnerability in the Intel AMT SOL interface, but this was another classic case of bad guys using a technology developed for legitimate purposes to do bad things.

Details about PLATINUM's targets and attacks are available in a report [microsoft.com] Microsoft released yesterday.

Are there any ports (on router/firewall) that can be blocked that will break the communication for this exploit?

I actually Ensured AMT was disabled in my bios and I also deleted the AMT driver from my system because of silent bob and other stuff like this. sure a unidentified device is annoying but better safe than sorry

I keep the Intel "features" turned OFF. Then we have Microsoft's Windows 10 updates that can be installed at any time without permission. Seems a truly secure system would have to be a trusted Linux OS and properly setup external (to the PC) firewall.

Not a member yet? Register Now [bleepingcomputer.com]

USB Touchscreen Driver Issue

Windows 8 Freezing/App Errors

Usefulness of a Nvidia GTX 1060 graphics card in a i7 960-computer

To receive periodic updates and news from BleepingComputer [soylentnews.org], please use the form below.

Copyright @ 2003 - 2017 Bleeping Computer^® LLC [bleepingcomputer.com] - All Rights Reserved

Not a member yet? Register Now [bleepingcomputer.com]

-- submitted from IRC

Original Submission