Posted on June 10, 2017 at 11:21 AM
A new method was used by a group in Southeast Asia to escape firewalls and network monitoring software, says Microsoft. In order to crack into a system, a hacker first has to break into the remote system and then run his malware. The second step is hiding his activity, which means that he needs to make it very difficult to detect his activity.
The group PLATINUM as named by Microsoft has created a system which transfers files to endangered machines, which means developing new hauls on their malware. This approach influences Intel’s Active Management Technology (AMT) to do an out weight over the Windows firewall. This way it can access the processor and the network interface because the AMT firmware work level is low and it operates below the operating system.
In order to do certain tasks, the AMT requires running at a low level. This enables him to power cycle systems, also allowing a user to send mouse and keyboard controls to a system and managing what is on display. AMT requires entry to the network interface to run task like remotely installing operating systems on naked machines. Additionally, it needs to resemble hardware, for example, the mouse and keyboard to arrange the input to the operating system.
The requirements AMT needs to do said tasks is the reason why is targeted by hackers. Hackers can easily hide their activity because AMT influx never moves on to the operating system’s IP stack. This allows the hacker to remain unseen to the system’s firewall and public networks. The PLATINUM software connects the network and the malware that is on the compromised system, using a virtual hardware that provides virtual serial ports.
The transmission between engines uses serial-over-LAN traffic that is controlled by AMT. The software that is intended to danger the machine attaches to the virtual AMT serial port to manipulate data, while also fooling the operating system and the firewall. PLATINUM’s biggest feature is that can remain undetected to machines while transferring files between systems on the network.
This evidence has put AMT under the scope because attackers discovered a long-standing remote authentication flaw that allows hackers to access AMT controls without entering the AMT password. This means that the attacker can take over the whole KVM control system and use it to compromise the machine.
But the earlier mentioned discovery is not PLATINUM’s goal. The group only use AMT as a service to do something destructible, they need AMT to empower serial-over-LAN turned on for their purpose.
However, if the AMT is not turned on PLATINUM will not gain access. The group’s malware and the AMT earlier mentioned flaws need AMT enabled to work. Also, Microsoft was unclear about this connection. It is suspected that the malware was designed to enable AMT itself. Either the malware has Admin authority or the AMT was enabled and the malware took over the information.