Demons: Intel ME/AMT/FSP , AMD PSP/IMC/SMU/AGESA , Firmware/Microcode/BIOS, HDD/SSD/USB

grarpamp grarpamp at gmail.com
Fri Jun 9 00:24:24 PDT 2017


https://it.slashdot.org/story/17/06/08/1754244/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls
https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/
http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

Microsoft's security team has come across a malware family that uses
Intel's Active Management Technology (AMT) Serial-over-LAN (SOL)
interface as a file transfer tool. The problem with Intel AMT SOL is
that it's part of Intel's ME, a separate chip inside Intel CPUs that
runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which
works even when the PC is turned off. Furthermore, because this
virtual network interface runs inside ME, firewalls and security
products installed on the main OS won't detected malware using AMT SOL
to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage
unit codenamed PLATINUM, active since 2009, and which has targeted
countries around the South China Sea. PLATINUM is by far one of the
most sophisticated hacking groups ever discovered. Last year [PDF],
the OS maker said the group was installing malware by abusing
hotpatching — a mechanism that allows Microsoft to issue updates that
tap into active processes and upgrade applications or the operating
system without having to reboot the computer.



More information about the cypherpunks mailing list