The notorious Russian-speaking cybercrime syndicate Conti, known for its ransomware attacks on multiple organizations and businesses worldwide, developed proof-of-concept code for attack techniques targeting vulnerabilities in firmware that could offer a path to accessing privileged code on compromised devices, revealed the analysis of the gang’s internal chats that leaked earlier this year.
Specifically, the attacks targeted embedded microcontrollers such as the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME), according to researchers at cybersecurity firm Eclypsium who analyzed the leaked chats.
“It is important to note that no new or unmitigated vulnerabilities have been identified and that Intel chipsets are no more or less vulnerable than any other code. The issue is that most organizations do not update their chipset firmware with the same regularity that they do their software or even the UEFI/BIOS system firmware. This can leave some of the most powerful and privileged code on a device susceptible to attack,” the researchers said.
“Compromising the Management Engine of a system would have considerable value on its own, but the leaks show that the group is using the unique privileges of the ME firmware as a way to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode (SMM). Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system,” they added.
Conti internal communications indicate that the group was researching vulnerabilities related to ME firmware as well as BIOS_WP (BIOS Write Protection).
More specifically, the research was focused on several areas including the possible existence of undocumented commands and flaws in the Management Engine Interface (MEI); access to SPI (the flash memory used by the UEFI/BIOS system firmware) from the ME in order to generically bypass other protections; a possibility to drop a System Management Mode (SMM) implant that would allow the attackers modify the kernel on the fly with complete stealth and without the OS being able to do anything to prevent it.
Eclypsium said the group developed PoC code for attacks nine months ago and that the company expects that these techniques will be used in the wild in the near future.
More technical details are available in the Eclypsium report.
In May, Conti officially shut down its operation, including all of its infrastructure. However, security researchers warn that the gang hasn’t gone anywhere, but simply split into smaller, more novel brands.
Last month, the US State Department offered a reward of up to $10 million for information that would allow to identify or locate high-ranking members of the Conti ransomware gang. In addition, the US authorities offered a reward of up to $5 million for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.