When analyzing leaked conversations from the Conti ransomware operation, researchers found that teams from the group were developing hacks based on firmware, more specifically on Intel chipsets.
Developers in the group created proof-of-concept (PoC) code leveraging the Intel Management Engine (ME) — a physical microcontroller embedded inside Intel chipsets that runs a microOS to provide out-of-band services — to subscribe to flash and get execution. SMM (System Management Mode).
Conti was looking to ME to find undocumented functions and commands that could be leveraged. In this way, the group could access the flash memory that hosts the UEFI/BIOS firmware, to bypass protections and perform arbitrary code execution on a compromised system.
It is worth remembering that, unlike the TrickBot module that targeted UEFI firmware flaws to aid Conti infections and later undertaken by the group, Eclypsium’s findings indicate that engineers were committed to discovering new, unknown flaws in the microcontroller.
Finally, by offloading an implant into the SMM code, the group could act at the highest system privilege level (ring-0) without being detected by OS security tools.
Intel Firmware Sneak Attacks
A firmware attack first goes through accessing the system through a common path: using phishing, exploits, or a supply chain attack.
After attackers compromise the ME, the next step is based on OOP (Out of Protection) regions that are allowed access, depending on the implementation of the Intel Management Engine and various other restrictions or protections.
These could be access to overwrite the SPI descriptor or moving the UEFI/BIOS out of the protected area or direct access to the BIOS region, according to the researchers at Eclypsium.
If the Intel Management Engine does not have access to any of them, threat actors could still turn to ME to force a virtual media boot and unlock the PCH protections that support the SPI controller.
This attack flow could be used by Conti to permanently lock down systems, gain persistence, evade antivirus detections, and endpoint detection and response (EDR), bypassing operating system security.
Although the Conti ransomware group announced the end of operations in May, members are still working to conduct attacks on smaller, autonomous groups. In addition, the code already developed by the engineers continues to exist, which does not rule out the chances of being used in real attacks. The possibilities are countless.
To protect yourself, it is important that available hardware firmware updates are properly installed, as well as monitoring the ME for configuration changes and regularly checking the integrity of the SPI flash.