Leaked internal chats from the Conti ransomware gang suggests the group has been researching and developing code to compromise the Intel Management Engine (Intel ME), the out-of-band management functionality built into Intel chipsets.
The goal of this technique is to install malicious code deep inside computer firmware where it cannot be blocked by operating systems and third-party endpoint security products.
Firmware implants are powerful and are usually used in high-value operations by state-sponsored hacker groups. However, over the past couple of years cyber criminal gangs have also shown an interest, with developers of the notorious TrickBot botnet adding an UEFI attack module in 2020.
According to new research by security firm Eclypsium, the Conti ransomware group developed proof-of-concept code to exploit Intel ME firmware and gain code execution in System Management Mode, a highly privileged execution environment of the CPU.
What is Intel ME?
The Intel Management Engine is a subsystem that's present in many Intel chipsets and consists of a dedicated coprocessor and real-time operating system that's used for out-of-band management tasks.
Intel ME is essentially a computer inside a computer and is completely separate from the user-installed OS that uses the main CPU. Depending on chipset and CPU generation, variations of the Intel ME technology are known as the Intel Converged Security and Management Engine (CSME) or Intel Trusted Execution Environment.
Not only does Intel ME run independently of the main CPU and OS, it also has a lot of control over them and potentially a way to access the UEFI, the low-level firmware in modern computers that's in charge of initialising hardware devices, starting the boot-loader and ultimately the main OS.
In February, following Russia's invasion of Ukraine, a researcher leaked many logs from Conti's internal chat system. By analysing those logs, researchers from Eclypsium found discussions about targeting Intel ME, through known and previously unknown vulnerabilities to indirectly gain access to UEFI.
This is important for several reasons. Some legitimate APIs allow reflashing the UEFI firmware from inside the primary OS, for example for the purpose of updates.
However, a properly configured UEFI performs cryptographic signature verification for updates and has write protections enabled. Furthermore, such attempts to reflash the UEFI can be detected and blocked by security software running inside the operating system.
Past UEFI attacks and Conti's interest
In December 2020, researchers found a new TrickBot module that used a known driver to read information from the UEFI firmware of infected computers, trying to identify those misconfigured with the BIOS control register unlocked.
Other groups exploited UEFI misconfigurations or vulnerabilities in the past, such as the APT28 also known as Fancy Bear and believed to be a division of the Russia's military intelligence agency, the GRU. Another APT group known to have targeted UEFI is known as MossaicRegressor.
By exploiting Intel ME and gaining indirect access to UEFI that way, attackers could bypass the normal protections put in place by computer manufacturers. Intel ME has had many vulnerabilities reported and patched over the years.
"It is important to note that many systems are vulnerable to CVEs covered in these Intel advisories," the Eclypsium researchers said. "For example, a recent analysis of a production network found that 72.3 per cent of devices were vulnerable to CVEs in Intel SA00391, which contains the potential for network privilege escalation.
Likewise, 61.45 per cent of devices were vulnerable to issues covered in SA00295, which also enables privilege escalation over a network. These two security advisories include vulnerabilities from the Ripple20 disclosure and additional remotely-exploitable vulnerabilities in the Treck TCP/IP stack found by Intel as a follow-up to the initial Ripple20 disclosure."
In one of the analysed discussions, one Conti developer tells another member that he has been working on a report on how the Intel ME controller and the Intel Active Management Technology (AMT) that's based on it work. He mentions uncovering undocumented commands using reverse engineering, debugging and fuzzing and mentions previous research by security companies Positive Technologies and Embedi.
He says that the goal could be to develop a dropper (malware implant) for UEFI and potentially one that runs in SMM (System Management Mode).
The SMM is a highly privileged execution mode of x86 CPUs where all normal code execution from the OS is suspended, and an alternate software is executed. Usually, SMM is used for debugging. In later Conti conversations a screenshot is shown that suggests a proof-of-concept was developed.
"An attacker with control over the ME can then use that access to overwrite the UEFI system firmware and gain SMM code execution," the Eclypsium researchers explained.
"The details of how this is done will vary depending on the types of protections and settings of the target system. Two of the most important settings in this regard is if BIOS write protection (BIOS_WP) is properly set on the device, and if Intel ME has the privileges to modify different SPI regions in the access control table within the SPI Descriptor."
Why criminal groups are interested in firmware exploits
The fact that groups like TrickBot and Conti have the resources to hire individuals with expertise in reverse engineering low-level firmware and implementing UEFI and SMM implants is indicative of how lucrative ransomware and data extortion attacks are for cyber criminals.
In recent months, the Conti gang attracted a lot of heat after threatening to attack critical infrastructure in support of the Russian government and crippling government agencies in Costa Rica. The U.S. Department of Justice (DOJ) has announced a reward for information about the identity and location of the group's leaders and members.
Some cyber crime analysts believe the Conti gang is in a process of rebranding itself and splintering off into multiple other specialised groups. This process is believed to have started several months ago, but the tools that have been developed will remain with those groups and will likely be used in the future.
If they're successful, more cyber criminal groups are likely to follow suit and start targeting computer firmware because such attacks have a lot of value.
"In terms of damage, an attacker can effectively 'brick' a system permanently by overwriting the system firmware," the Eclypsium researchers said. "Similarly, an attacker could use this level of access to wipe the Master Boot Record or other high-value files on a system.
"Wipers such as WhisperGate and HermeticWiper have played a major and ongoing role in the Russian invasion of Ukraine and provide a stark reminder of the damaging potential of low-level attacks on devices. While such low-level wiper attacks have averaged about one major event per year, in the first quarter of 2022, there have been six or more wipers discovered in the wild."
Long-time persistence is another reason. By compromising the firmware, attackers can evade detection and remain on a system even after the normal storage has been wiped and the main OS has been reinstalled.
Many attackers specialise in selling access to corporate networks to other cyber criminals to deploy their threats and some ransomware gangs have a history of hitting organisations multiple times even after they paid the ransom once.
Mitigation for Intel ME vulnerabilities
The Eclypsium researchers advise organisations to scan all their computers for known Intel ME vulnerabilities and apply the needed firmware updates. Commercial as well as open-source tools such as CHIPSEC can be used to do this.
Organisations should also verify the integrity of the Intel ME firmware on their devices comparing it to valid firmware from Intel. This should ideally be done using mechanisms that are independent of the main operating system, because compromised firmware can feed back fake information to OS-level tools.
In addition to Intel ME firmware, security teams should also check the integrity of the SPI flash memory that holds the UEFI/BIOS as well as the integrity of the UEFI itself, the Eclypsium researchers said.