Conti ransomware group targeted Intel firmware tools

Security researchers discovered the Conti ransomware group was targeting two Intel firmware management tools in order to carry out persistent, hard-to-detect attacks.

Researchers with security vendor Eclypsium have analyzed leaked data and communications between core members of the possibly defunct Conti ransomware crew outlining their efforts to target both the Intel Management Engine (ME) and Converged Security Management Engine (CSME). Beginning in late February amid Russia's invasion of Ukraine, an anonymous security researcher known as "Conti Leaks" began publishing the ransomware group's source code, private communications and other data.

"Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago," the Eclypsium team explained in a blog post Thursday. "As a result, we expect that these techniques will be used in the wild in the near future if they haven't already."

Designed to help administrators remotely manage and update systems, ME and CSME function as an on-board microcontroller that run below the operating system level. ME is the older version of the technology, running on pre-Skylake systems, while CSME runs on Skylake and later boards.

Notable vulnerabilities have been discovered in both Intel CSME and ME in recent years; Eclypsium researchers said Conti operators were fuzzing the two firmware platforms to find new weaknesses and vulnerabilities.

"Analysis of internal Conti communications revealed that attackers were deeply investigating vulnerabilities related to Intel ME as well as BIOS_WP (BIOS Write Protection)," Eclypsium said. "This is a significant change in tactics from the most recent firmware threats."

With access to the board controllers, it is then possible to get at the UEFI framework. This, researchers said, is exactly why the Conti hackers would want to compromise the ME and CSME hardware. By getting control of the chips, the attackers would be able to manipulate UEFI and BIOS settings.

In some cases, this would let the attacker effectively brick the system by wiping all data and preventing future updates or recovery.

Eclypsium, however, believes that Conti members have other plans for its exploits. Having access to the board itself at a level below UEFI would effectively give the intruder total persistence on a compromised machine and the ability to re-establish control over that machine even after the initial breach is detected and shut down.

"Attackers are able to use the unique privileges of firmware to evade a wide variety of security features and security products in order to establish ongoing persistence on a device," the Eclypsium team explained. "Groups like Conti directly monetize such persistence by reselling access to other threat actors, or even dropping additional ransomware payloads at a later date."

The ME and CSME chips themselves are not remotely accessible, meaning the attacker would already need to have administrator control over the targeted machine with administrator clearance. From there, the intruder would drop a specially crafted driver that can access and exploit the flaws and issue commands to the chips.

Unfortunately for administrators and defenders, Conti operators and its various affiliate hackers have shown they are successful at using not only software exploits but also phishing and malicious attachments in order to gain the required level of control to pull off such a procedure.

"The shift to Intel ME gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems," Eclypsium said.

Eclypsium's research comes amid recent reports that Conti has shut down operations. The ransomware crew reportedly had a major split amongst its members over whether to back Russia in its invasion of the Ukraine, leading some to leave and form new ransomware outfits or join other existing groups.