Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Intel Security

Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls (bleepingcomputer.com) 128

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

This discussion has been archived. No new comments can be posted.

Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls

Comments Filter:
  • by H3lldr0p ( 40304 ) on Thursday June 08, 2017 @03:17PM (#54579687) Homepage

    This is exactly what was said was going to happen when it came to light that Intel was sticking extra shit to motherboards no one was asking for. And at the time, Intel said no one would be capable of getting to it. Guess what?

    So tired of this crap.

    • by Anonymous Coward on Thursday June 08, 2017 @03:24PM (#54579781)

      The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

      What we know about Intel CPU backdoors so far:

      TL;DR version

      Your Intel CPU and Chipset is running a backdoor as we speak.

      The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

      30C3 Intel ME live hack:
      @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
      [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
      [Quotes] Vortrag [events.ccc.de]:
      "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

      "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

      "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

      "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

      "We can permanently monitor the keyboard buffer on both operating system targets."

      Backdoor removal:
      The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
      Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

      Decoding Intel backdoors:
      The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

      If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

      1. Introduction, what is Intel ME

      Short version, from Intel staff:

      Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
      Amy_Intel Feb 8, 2016 9:27 AM

      The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked wit

      • 3. The backdoor is active even when the machine is powered off:

        How exactly do they manage to read data from a hard drive which is spun down? (sarcasm)

        I'm sure this Intel backdoor could do plenty of nefarious things when the machine is at full power, but it's likely capable of nothing more than a glorified wake-on-lan when the machine is shut down. Of course, to me, "powered off" means you've physically cut power to the machine - and so long as Intel is still producing hardware based on the known laws of physics, that means the backdoor is inaccessible.

        • Well, assuming you have buffered data into the SPI you can now spool that out steganographically using SoL.

          Of note, to disable ME (at least on a basic level, and assuming BIOS supports it) you can configure BIOS do turn it off. While this won't totally disable it, it will turn off the higher level functions like AMT/SoL/IDER etc.

          And this is also yet more servings of crow for me to eat after having publically defended ME more than once. :(

    • by Train0987 ( 1059246 ) on Thursday June 08, 2017 @03:36PM (#54579885)
      You're assuming AMT doesn't exist as a back door mechanism for state actors in the first place.
    • People don't even understand the difference between CISC and RISC processors, so how can they be expected to understand an issue like this?

      They can't, and so they'll be credulous of all sorts of insane nonsense about "backdoors" and "shit... no one was asking for." Except that, it is shit people were in fact asking for.

      "Give us features to manage security at the network level, we have too many hosts to do it at the host level and we have security PEBCAK."
      And so they implement network level managemen

      • by Z80a ( 971949 )

        It's not a feature if you can't control it.

        • It's not a feature if you can't control it.

          That's just 100% pure derp.

          If you'd own your statement, you might say something. But all you did is derp on my screen.

          Are you saying that features you can't control are features you don't want? That has a different meaning than the stupid shit you actually said.

          And in this case, if you didn't want microcode that you can't control you wouldn't buy a CISC computer at all. If you want to own a computer that can play graphical games, for example, you're already asking for microcode. You might not have the techn

          • by Z80a ( 971949 )

            The ME have nothing to do with the microcode, it's a separate CPU embedded in the CPU that have no relationship and don't actually perform anything related to the main CPU, and it's only present on the newer Core Ix series.
            It was also available on the Core 2 computers, but was embedded on the motherboard rather than CPU.
            And it's a separate CPU with its own proprietary hidden ROM that can't be audited and can access your network, memory, disk etc..

            • The ME have nothing to do with the microcode[blah blah blah]

              Absolutely, never said differently. I was broadly addressing two separate idiocies, one relating to IME, the other relating to people whining about Intel's CPUs having extra secret code that they don't understand the reasons for. For most of the slashdot, that is just one blurry thing about Intel CPUs being like systemd.

              As for auditing, you can't audit the hardware in a CISC system. End of story. There is no chance. You don't really even want a processor if need that, you want programmable logic.

              • by Z80a ( 971949 )

                Well, you can hide a CPU in a RISC processor as well, pretty much do the same exact thing as the ME Engine but just don't tell anyone about it.

                • Right, but nothing is "hidden." Fuckin' duh.

                  Yeah, if you can't comprehend what features are on an integrated circuit, then you don't know what it does and shouldn't talk about it.

                  And if you don't fucking know, then you also don't fucking know and you don't even have to worry about if it is an integrated circuit or a toaster.

                  OTOH, if you know about IME and what it does, then there would be no surprise to find it on CISC CPUs intended for both servers and workstations. You would not tent to find those feature

      • I am wondering, what did you smoke to get this full retard?

        'they don't understand that you can't build a fast CISC processor in analog'
        ' you have to actually build a big mishmash of multiple RISC processors that together simulate a single CISC processor'
        'it even has fake timing semantics that are phrased as if it is a traditional digital logic circuit built from analog parts'
        'those analog parts are actually multiple levels of code below the interface you can touch'
        'This goes back to the 1950s!'
        ' If you don'

        • Stopped reading at the R-word. You really need to work on your "theory of mind," because what kind of person is actually going to read that sort of thing?

    • While I think it is imperative that a means to disable ME be available, it was never a secret. It was announced several years ago (around 2009) at conferences and press releases. Initially it was only on Xeon and processors intended for server use. My 6 year old Core5i system does not have it and I'm uncertain how low in the Intel CPU family it goes by now. It has many benefits for managers of datacenter machines as it allows access to unattended systems, even when they are down.

      Yes, people WERE asking for

      • by cfalcon ( 779563 )

        > I'm uncertain how low in the Intel CPU family it goes by now

        Go ahead and research it, you're in for a GREAT time. I bet you can't find one single Kabylake, Skylake, Broadwell, or Haswell without it.

        > It has many benefits for managers of datacenter machines

        If it was limited to those it might make some sense.

        > but why is it not disabled by default?

        The vuln in question is not a default feature. Remote management is not enabled by default, neither is this goofy serial-over-TCP thing.

        The real questi

      • by jabuzz ( 182671 )

        Really, can you point to a single Tier1 server vendor that is using Intel's AMT for lights out management? Certainly it's not HP, Dell, Lenovo or Oracle. Heck the ASRock mini-ITX board on my self-build home server is not using AMT either.

        They all without question using shitty Java VNC based crap that requires me to keep a collection of ancient browser and Java versions to interact with them all. The best is the now old but still perfectly functional Sun servers that won't work with any remotely modern versi

  • Good selection (Score:5, Insightful)

    by e r ( 2847683 ) on Thursday June 08, 2017 @03:18PM (#54579695)
    Workstation class machines are the ones that usually have the ME installed and enabled and these machines are also the most likely to have juicy information on them compared to sally-sue's facebook machine.

    Also, Stallman was right all along.
    • Re: (Score:2, Interesting)

      by thegarbz ( 1787294 )

      Also, Stallman was right all along.

      About what? About a feature which is controlable in the BIOS that offers power users a choice of network administration being a possible attack?

      Oh you didn't realise this was something you could disable and has nothing to do with any hidden code did you?

      • by Anonymous Coward

        Stallman was right about governments, businesses, and bad actors using the proprietary back doors in your computer to control you and curtail your freedom.

      • by Trogre ( 513942 )

        No, I didn't realise that choosing to disable AMT in a BIOS disabled every single component of AMT, including SOL, which is what this story is about.

        Please, tell me more.

        • It doesn't. What it does do is disable a lot of the common run of the mill remote access things like SOL which is what this article is about.

    • Re:Good selection (Score:4, Interesting)

      by myrdos2 ( 989497 ) on Thursday June 08, 2017 @03:43PM (#54579947)

      Also, Stallman was right all along.

      He usually is: Intel's chips contain a security hazard [slashdot.org]

      As I recall, Intel came out with a rebuttal that went something like: "It's perfectly secure and a standard computer management feature, you bunch of dunces." I hope they like that crow they're eating.

      • That will still be their response, and you should be able to detect by it if they're eating crow at all, or if you're just daydreaming.

        It may be that it is secure and it is a standard feature that many companies want, and that the people complaining are in fact not only dunces but clear ignoramuses.

        You can turn the feature off. And it isn't an obscure feature; it is an enterprise feature. There is actually a difference.

        Everybody who knew said all along that if you add enterprise-level management software, i

        • Re:Good selection (Score:5, Informative)

          by cfalcon ( 779563 ) on Thursday June 08, 2017 @05:13PM (#54580643)

          > You can turn the feature off

          You can't, though. In fact, if you actually remove the ME code, the Intel chip enters a halt state after 30 minutes. AMD is worse: the cores are held in reset until released by the PSP.

          Your pedantry relies on the fact that you can disable the particular feature that a vulnerability was discovered in. But that doesn't solve the problem, because there's still all that spooky code running in an unauditable way. This is at least the THIRD ME vuln in the last year or so.

          > Everybody who knew said all along that if you add enterprise-level management software, it becomes an attack vector

          Why is the ME present on every machine, no matter how small? Why is it in every laptop, desktop, tower, workstation, and server? Why all that ubiquity, if the only people who could ever make use of it are enterprise guys who pay for support and have a conformant BIOS and MOBO and turn it on? WHY IS IT EVERYWHERE????

          • Re:Good selection (Score:4, Interesting)

            by networkBoy ( 774728 ) on Thursday June 08, 2017 @06:05PM (#54580953) Journal

            Why is the ME present on every machine, no matter how small? Why is it in every laptop, desktop, tower, workstation, and server? Why all that ubiquity, if the only people who could ever make use of it are enterprise guys who pay for support and have a conformant BIOS and MOBO and turn it on? WHY IS IT EVERYWHERE????

            You really want to know why?
            Efficiency of development.
            AMT and it's components are where all the vulns have been found (so far).

            ME is a kernel that these other applications run on.
            Among other applications that run on the ME kernel (and that were formerly separate firmware processes on separate chips [thus higher hardware and maintenance costs]):
            PMC (power management controller, the ability to suspend and hibernate)
            PECI (CPU thermal management, keep you from smoking your i7 when the FAN dies)
            PMX (reset controller)
            PowerGate (lower power consumption on NOPs)
            QST (Fan controller, so your fans aren't always at max RPM)
            SmBus (DIMM timings and battery monitoring, along with other system health info)

            I'm sure there's more, but I simply no longer remember everything stuffed in the CSME.

            Long and short of it is:
            ME is the SystemD of chipsets. It's a lot easier to use common code and a common hardware to do all these things than it is to maintain each one separately. I wouldn't expect it to change anytime soon either, but an easy mitigation would be removing any world facing interface from the ME connected systems (E.g. AMT).

            If you're really worried about it get a "Min SKU" part. these only have what's needed for the machine to actually boor and run safely, none of the "value added" stuff, and if you're extra paranoid never use the on-board LAN (port 16992 BTW if you want to talk to AMT).

            • by cfalcon ( 779563 )

              > If you're really worried about it get a "Min SKU" part.
              Name one that doesn't have ME.

              >if you're extra paranoid never use the on-board LAN
              I don't, but I shouldn't have to.

              The concerns with ME are in two categories: one, it could have bugs in it. That's proven beyond a doubt: it has wildly exploitive bugs that live at a level you simply can't detect. That was a theory for years, now it is proven beyond ANY doubt. Two, it could have backdoors. You could argue that any bug that gives access like th

              • ME will be present on all systems, as it is now what runs what used to be separate sub systems.
                *most* of said systems have no I/O to the rest of the world and the MinSKU parts are the ones that have only what's needed of those systems to keep your platform stable. Pretty sure you don't want to run a system without a PMC or with no support for SPD timings.

                The higher level junk is where the proven vuls are (and yes you are absolutely correct there, as well as that you *shouldn't* have to worry about the LAN

          • That's a bunch of nonsense, it comes turned off. You don't "actually remove" part of the CPU, and you don't know how quickly it would fail because you've never spent the time to xray the chip and find the part you want, and lase it out while the chip is running. And then repeat until you get the process working. Nobody would do that.

            You can't get around the fact that if you want a CISC computer, which includes any computer with significant branch prediction and CPU cache (required for to run any sort of nec

            • by cfalcon ( 779563 )

              Your post is badly misinformed.

              First, lets get to the meat of it: you don't need an ME, except that the chip will stop working (again, after 30 minutes) if the ME code is removed. There are certain machines on which the ME has been successfully neutered, but this physical hack (which involves reflashing, certainly no CPU modifications) is limited to a few motherboards. Still, it should trivially debunk your claim. Further evidence includes the fact that the ME wasn't included (or mandatory) until a few

              • Well, sure, if you don't understand what topics are included in a post, it will look wrong to you in various ways. But it would be more effective to understand what you're replying to, so your reply is on-topic.

                Most of what you say is just some version of reality, twisted and spun really hard, the details forgotten. Like, IBM POWER series. It is true that its history and original instruction set were RISC, an instruction set created a decade before the thing that was actually implemented. So the books gener

          • by rastos1 ( 601318 )
            While I mostly agree with you, I found no traces of ME on my desktop machine at home (admittedly it is several years old) and neither on three desktops at work (one of them being at about 2 years old). And yesterday I checked one laptop that is only several months old and found no traces either.
  • by Anonymous Coward
    Modern app appers only use App Runtime Modules (ARM), NOT LUDDITE Intel processors with LUDDITE software!

    Apps!
  • ...with the computer-within-a-computer model. Instead of doing one thing and doing it well, and to use a cliche, putting all of one's eggs in one basket and then watching the basket, a fragmented model means that inevitably pieces get missed, as the proliferation of extra and possibly extraneous systems makes it impossible to keep-up with everything going on.

    More and more layers are piled-on, and more and more points are created for there to be problems.

  • by sexconker ( 1179573 ) on Thursday June 08, 2017 @03:19PM (#54579719)

    Fuck AMT (and AMD's PSP).

    They have almost zero real world benefit, and are just absurdly dangerous.

  • I thought they said it was 100% secure, and this would never happen.. lol fools they are.

    • It's 100% secure against YOU. The Government (that probably paid for it to be installed) had the keys from the start.
      • LOL that sounds good. but anybody with money to waste on a few cpu's could RE the thing with the skilled help of others(available on the internet if you know where to look) If I had the money and the will, I guarantee somebody I know would know the proper person to contact to get the information needed to access said backdoor. And obviously somebody has already done this(see article). I fully understand where you're coming from, Intel even went as far as to say it was impossible for somebody to hack. But no

    • I thought they said it was 100% secure...

      I don't believe either half of that; you didn't really think about it, and they didn't actually say that.

  • AMD for the win! AMD for the max pci-e in each cpu! Intel next round better be cheaper / better and no more of this cut down BS. Intel even tried cpu DLC windows only and it failed

  • by Anonymous Coward on Thursday June 08, 2017 @03:22PM (#54579757)

    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
    [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
    [Quotes] Vortrag [events.ccc.de]:
    "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

    "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

    "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Backdoor removal:
    The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    1. Introduction, what is Intel ME

    Short version, from Intel staff:

    Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
    Amy_Intel Feb 8, 2016 9:27 AM

    The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked wit

    • Are you sure about "own MAC and IP address"? Common network chip set (e.g. Intel 82574 family) external interfaces include: NC-SI or SMBus connection to a Manageability Controller (MC) with IPMI MC pass through; multi-drop NC-SI. This generally results in UDP/TCP port 623 traffic being re-directed to the Management Controller. The way I have seen this manifested is port 623 on all network interfaces is passed through to the management engine. The IP and MAC for the management engine is the same as for

      • by Anonymous Coward

        All of the AMT systems I have looked at in years past have an option to set a different IP for the AMT endpoint or to snoop on DHCP traffic and use the same IP address as the host OS.

        It was too long ago and I never played with it enough to confirm whether the static IP set for the engine would remain active while the host OS was running with its own network config, or if it simply served to provide for communication while the host OS or its network was disabled.

        What I did discover is that things went wonky

        • The AMT has to have the cooperation of the network chipset to access the network. I have crawled through petabytes of netflow from tens of thousands of routers supporting nearly a million computers and have never seen port 623 traffic associated with an IP that did not also have other traffic on other ports. I could have missed this since I wasn't explicitly looking for this though. It did amaze me that the AMT has its own list of servers for services such as NTP (which allows the manufacturer to see the h
    • by e r ( 2847683 )
      It gets worse: ARM has its own equivalent called "TrustZone" [wikipedia.org]
      • Yes, but the OEMs have full control of the code in TrustZone. As an example, there are at least four different commercially available kernels that run in Trustzone, making it a PITA to support anything connected to it.

  • by virve ( 63803 ) on Thursday June 08, 2017 @03:24PM (#54579785)

    Interest in countries around South China Sea? It was probably East Timor.

  • The problem always is: if there is a backdoor, the manufacturer is not the only one able to explore it.
  • Didn't take fucking long at all, now that the infosec companies know what they should've been looking for.

  • by Dunbal ( 464142 ) * on Thursday June 08, 2017 @04:16PM (#54580237)
    When can we expect a recall from Intel?
  • Some days the jokes just write themselves....

  • 1. This is no longer obscure, after having ample coverage here on /. over the past year
    2. This cannot be considered a feature - it's an anti-feature like DRM or remote killswitches.

  • by Anonymous Coward

    and I thought they got rid of the real power switch to save a buck, well, 50 cents anyway...

  • by Anonymous Coward

    "PLATINUM is by far one of the most sophisticated hacking groups ever discovered."

    There is nothing advanced about sending a NDL and requesting a backdoor be made.

  • by Trogre ( 513942 ) on Thursday June 08, 2017 @04:45PM (#54580445) Homepage

    Is it correct that the AMT is fully dependent on the onboard Ethernet, WiFi and 3G chips for communication?

    If so, would simply not using those chips be a suitable workaround? If so, I foresee a strong market for PCIe ethernet cards, particularly ones that don't depend on Intel drivers.

  • Now that non-InfoWars.com and Coast to Coast news organizations are talking about this it's been upgraded to "real news".

  • Thank you, Intel, for subverting my PC hardware in such a way that makes it impossible for me to defend against hackers and government agencies!

    You done innovated the SHIT outta that computer stuff!

  • There's a company that says they have found a way to neutralize the ME, overwriting all of its main modules (i.e. the ones that allow DMA and network access like this exploit uses): https://puri.sm/learn/avoiding... [puri.sm]
  • Nobody tell them it's built into the very assembly code that runs our networks, ok?

  • At least SOMEONE is using the feature, MS certainly doesn't seem to use it... ever.

  • When I ordered my laptop from HP a couple years ago, the system configuration page had an option to either enable or disable vPro. I chose to disable vPro, which means I don't have SOL. I remember Dell also giving you that option on their web site.
    • by cfalcon ( 779563 )

      Do you also think the "close" button works on elevators? Do you think turning off telemetry in Windows 10 turns it off?

      The ME is running regardless of what you set your BIOS to. Whether it can reach the outside world seems like it is motherboard dependent. It's true that you aren't vulnerable to THIS vuln. But what about the others? We know there are others. We just don't know exactly where they are. The bad guys sure do though.

      • Well vPro isn't a BIOS setting. There isn't any setting in the BIOS that you can use to enable or disable it. It's something the manufacturer configures at the factory, and once it's disabled, it's impossible to enable it. At least that's what they say...
  • Interesting that Microsoft comes out with this report just as Intel is throwing around some not-so-vague legal threats [slashdot.org].

  • There are actually a number of Intel Core chipsets released every year that are not cursed with vPro and AMT. You may want to choose from those. Not sure how to pick the right Xeon though. http://ark.intel.com/Search/Fe... [intel.com]

MS-DOS must die!

Working...