RSS

Sneaky hackers use Intel management tools to bypass Windows firewall

08 Jun

Enlarge / Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs. But their virtual counterparts are alive and well, and they can be used for some exciting things. (credit: Ericf)

When you’re a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you’re there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM’s technique leverages Intel’s Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it’s used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what’s on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

Read 6 remaining paragraphs | Comments

Advertisements
 
Leave a comment

Posted by on June 8, 2017 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: