Security News > 2022 > June > Conti spotted working on exploits for Intel Management Engine flaws
The notorious Conti ransomware gang has working proof-of-concept code to exploit low-level Intel firmware vulnerabilities, according to Eclypsium researchers.
Recently leaked Conti documents show the criminals developed the software more than nine months ago, and this is important because exploiting these kinds of weaknesses expands the extend and depth of an intrusion, the firmware security shop's analysis noted.
Specifically, we're told, Conti came up with code that targeted the Intel Management Engine, a tiny hidden computer - with its own CPU, OS and software - within a processor chipset that runs independently from the main cores and provides various features including out-of-band management.
A typical attack on the ME would work like this: either you get code execution on a victim's machine via something like an email attachment that contains malware and exploit a vulnerable software interface with the engine; or you pull off some kind of remote-code execution exploit against the ME. It's most likely a miscreant aiming for the ME will want to use it to turn an ordinary infection or compromise into a long-lasting, hard-to-detect one by drilling down into the ME after gaining code execution on a machine.
Once running at the ME level, an attacker can potentially tamper with the UEFI/BIOS firmware and/or run code in System Management Mode.
While Eclypsium noted that "No new or unmitigated vulnerabilities have been identified, and that Intel chipsets are no more or less vulnerable than any other code," the problem remains that many organizations don't update their chipset firmware as frequently as they do other software or UEFI/BIOS system firmware.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/06/02/conti_rasomware_intel_firmware/