An analysis of leaked chats from the Conti ransomware gang found that the cybercrime group was planning firmware attacks targeting the Intel Management Engine (ME). The firmware has various implementations, including the Intel Manageability Engine (before SkyLake), Intel Converged Security and Management Engine (SkyLake and later), Intel Trusted Execution Environment (Atom processors), and Server Platform Services (Server).
Intel ME provides various functions, including anti-theft protection and out-of-bound management. The compromise would allow threat actors to introduce a backdoor on intel devices and execute commands without detection by OS-based security tools.
Additionally, firmware and supply chain security company Eclypsium says the chats appear to confirm the link between the Conti ransomware gang and the Russian Foreign Service Bureau (FSB).
Conti ransomware developed proof-of-concept code for firmware attacks
Analysis by Eclypsium showed that attackers were fuzzing with the Management Engine Interface (MEI), formally Host Embedded Controller Interface (HECI), to find undocumented commands and zero-day vulnerabilities in the Intel ME.
According to the analysis, the attackers were trying to access SPI, the EUFI/BIOS flash memory, to bypass protections.
Additionally, Conti ransomware attempted to create an SMM implant that would execute with the highest privileges possible than ring-0. Thus the operating system cannot examine or stop SMM code from running, allowing it to modify the kernel on the fly.
However, attackers must execute subsequent attacks after compromising Intel’s ME depending on the features they could access after bypassing the “out-of-write” protections.
After compromising ME, the attacker could overwrite the SPI descriptor to remove UEFI/BIOS write protection.
They could also unlock PCH protections by forcing a boot from a virtual device by leveraging the Intel Management Engine.
The chats suggested that the Conti ransomware gang had developed PoC code with this functionality nine months ago. Eclypsium suggested that the exploits were potentially deployed or could become available soon.
Conti ransomware gang also allegedly leveraged research by the Russian cybersecurity firm, Positive Technologies. U.S intelligence authorities have accused the company of providing the Kremlin with hacking tools and running its operations.
Conti could exploit the supply chain to deliver firmware malware
The chats did not disclose how the Conti ransomware gang intends to deliver the payload necessary for executing firmware attacks.
However, common attack vectors include phishing, system or application vulnerabilities, insider threats, or compromising the supply chain during distribution, warehousing, or delivery.
Since 2017, Intel has discovered multiple ME code execution and privilege escalation vulnerabilities. However, the group has not discovered any unmitigated flaw but could rely on organizations’ failure to patch their systems.
Firmware attacks deployment scenarios
Conti ransomware could leverage firmware attacks to brick the system by overwriting the system firmware using various tools such as WhisperGate and HermeticWiper used during attacks on Ukraine.
The group could also leverage firmware attacks to create persistence on compromised systems. They could leverage deploy firmware attacks to bypass antivirus and other security tools that depend on the operating system functions.
Cybercrime gangs could also leverage firmware attacks to bypass device protections such as BitLocker, Credential Guard, Early Launch AntiMalware (ELAM), and Windows Virtual Secure Mode (VSM).
Conti ransomware could sell these exploits to other threat actors, including state-sponsored attackers. They could also leverage firmware attacks to deploy ransomware.
“The Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools,” the Eclypsium researchers stated.
“The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems.”
Conti ransomware shut down its operations, but firmware attacks could live on
The Conti ransomware gang had adopted a corporate model with fully functional HR departments, suppliers, and contractors. Subsequently, the group supposedly shut down after sanctions crippled its operations during the Russian invasion of Ukraine.
However, Conti ransomware code could live on, with members forming other ransomware gangs and proceeding with the firmware attacks. Individual gang members could carry their skills and experience to other existing RaaS groups ensuring that firmware attacks come to fruition despite Conti’s disbandment.
