Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks.
The ME is an embedded microcontroller within Intel chipsets running a micro-OS to provide out-of-band services. Conti was fuzzing that component to find undocumented functions and commands they could leverage.
From there Conti could access the flash memory that hosted UEFI/BIOS firmware, bypass write protections, and perform arbitrary code execution on the compromised system.
The final goal would be to drop an SMM implant that would run with the highest possible system privileges (ring-0) .
Firmware attacks in conti ransomware
For a firmware attack to be possible:
Ransomware actors would first need to access the system via a common pathway such as phishing, exploiting a vulnerability, or performing a supply chain attack.
After compromising the ME, the attackers would have to follow an attack plan based on what “out-of-write protection” regions they are allowed to access.
Eclypsium says these could be either access to overwrite the SPI Descriptor and move the UEFI/BIOS outside the protected area or direct access to the BIOS region.
There’s also the scenario of the ME not having access to either. During that case the threat actors could leverage Intel’s Management Engine to force a boot from virtual media and unlock PCH protections that underpin the SPI controller.
While the Conti operation appears to have shut down, many of its members have moved to other ransomware operations where they continue to conduct attacks.
To protect from the threats, apply the available firmware updates for your hardware
- Monitor ME for configuration changes, and verify the integrity of the SPI flash regularly.