Security

Vxers exploit Intel's Active Management for malware-over-LAN

Platinum attack spotted in Asia, needs admin credentials

By Richard Chirgwin

6 SHARE

Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs.

So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited if an attacker tricks a sysadmin into providing administrative credentials.

As Redmond points out, the new wrinkle doesn't create a new attack vector, but rather it “misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications”.

The feature being misused is AMT's Serial-over-LAN (SOL), attractive to an attacker because it's independent of the host operating system.

It could be spotted by a separate standalone firewall, but it wouldn't be picked up by a host-based firewall. Another attraction to an attacker is that the embedded processor is designed to provide remote out-of-band capabilities like power cycling and KVM, even if the main processor is powered down.

SOL can also communicate over the LAN if a physical connection exists, regardless of whether networking is enabled on the host.

Microsoft also offers the hypothesis that if Platinum infected a system that didn't have AMT enabled, it could use stolen admin credentials and the technology's host-based provisioning to fire up a subset of AMT (including SOL) using its own credentials.

Whether using stolen credentials and full ATM access, or the limited access offered by a host-based provisioned machine, Platinum then exploited SOL to transfer malware over the LAN.

If you can exploit AMT's serial-over-LAN channel, the operating system won't see you

Microsoft says it worked with Intel to analyse the Platinum variant, and says Windows Defender ATP can detect the activity.

Intel's AMT got unwelcome attention in May, when critical vulnerabilities in the management technology first discovered in March became public. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

AMD sees Ryzen PCs sold with its CPUs in Europe as Intel shortages persist

Inside 629k machines, up from 355k last year

We're so, so, sorry you're not able to get PC chips, says Intel to everyone who hasn't gone with AMD yet

Epyc apology, Chipzilla

HP boss: Intel shortages are steering our suited customers to buy AMD

When supply doesn't meet demand, biz goes looking for action elsewhere

UK govt snubs Intel, seeks second-gen AMD Epyc processors for 28PFLOPS Archer2 supercomputer

HPE's Cray hits 80-million-quid target to build boffinry beast

Time to Ryzen shine, Intel: AMD has started shipping 7nm desktop CPUs like it's no big deal

Alongside Navi GPUs, and a Ryzen 3 APU priced at just $99

When two tribes go to war... Intel, AMD tease new chips at Computex: Your spin-free summary

2nd-gen Epyc, 3rd-gen Ryzen 7 and 9 processors, Navi GPUs, Intel 10nm CPUs, etc

Who's been copying AMD's homework? Intel lifts the lid on its hip chip packaging to break up chips into chiplets

Interconnects, never sexy but very useful for Chipzilla's plans

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

Updated 'Leakage ... is visible in all Intel generations starting from first-gen Core CPUs'

Shhh! Microsoft, Intel, Google and more sign up to the Confidential Computing Consortium

You can make your own joke about foxes and hen houses...

Intel insists Xeon vs Epyc benchmark fight was fair, amends speed test claims anyway

Chipzilla says it didn't intentionally mislead anyone

Whitepapers

Faster Response with CrowdStrike and MITRE ATT&CK

Today’s threat landscape has created new challenges for security analysts and incident responders.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Top 5 Recommendations for Effective Threat Detection

Learn how to improve the effectiveness of your threat detection program in cloud and hybrid environments.