Pierluigi Paganini June 02, 2022

The analysis of the internal chats of the Conti ransomware group revealed the gang was working on firmware attack techniques.

The analysis of Conti group’s chats, which were leaked earlier this year, revealed that the ransomware gang has been working on firmware attack techniques.

An attack against firmware could give threat actors significant powers, they are hard to detect and could be very destructive, and attackers can use them to achieve long-term strategic goals. 

Researchers from firmware and hardware security firm Eclypsium discovered that the Conti ransomware gang was working on attacks targeting both UEFI/BIOS and the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME).

The Intel Management Engine consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals, it is a critical component that handles data exchanged between the processor and peripherals.

For this reason, security experts warned in the past of the risks of Intel Management Engine vulnerabilities. An attacker can exploit a flaw in the Intel ME to establish a backdoor on the affected system and gain full control over it.

“Compromising the Management Engine of a system would have considerable value on its own, but the leaks show that the group is using the unique privileges of the ME firmware as a way to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode (SMM).” reads the post published by Eclypsium. “Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system.”

Leaked chat revealed that the group had already developed a proof-of-concept code for such kind of attacks at least nine months ago.

Experts believe that the firmware attack techniques devised by the group will used in the wild in the near future.

Eclypsium researchers discovered that the Conti gang was focusing research in the following areas.

1. Fuzzing the Management Engine Interface to discover undocumented commands and zero-day flaws.
2. Attempting to access SPI (the flash memory used by the UEFI/BIOS system firmware) from the ME to bypass other protections. Provisioning AMT or changing other ME configurations from the host to uncover ME vulnerabilities that can give the attackers arbitrary code execution.
3. They are working on both a stealth dropper from UEFI and a System Management Mode (SMM) implant. SMM is a runtime CPU mode controlled by the UEFI/BIOS that is more privileged than the “Ring-0” operating system kernel. The operating system kernel doesn’t have the ability to examine SMM code or block it from executing. As a result, an SMM implant could modify the kernel on the fly with complete stealth and without the OS being able to do anything to prevent it.

Below is an excerpt from the Conti’s chat that also mentions the proof-of-concept (POC) code.

The chat confirms that the group was able to develop a PoC code that uses vulnerabilities in the ME interface to rewrite SPI flash memory and gain SMM execution allowing to drop System Management Mode (SMM) level implants

“By shifting focus to Intel ME as well as targeting devices in which the BIOS is write protected, attackers could easily find far more available target devices,” the researchers said.

“The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks. Threats such as TrickBoot, MosaicRegressor, and dozens of new forms of wiper malware have continued to drive attacks below the level of the operating system. However, the Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools.” concludes the report. “The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems. “

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, firmware)

[adrotate banner=”5″]

[adrotate banner=”13″]