Vxers exploit Intel's Active Management for malware-over-LAN

Platinum attack spotted in Asia, needs admin credentials

By Richard Chirgwin


Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs.

So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited if an attacker tricks a sysadmin into providing administrative credentials.

As Redmond points out, the new wrinkle doesn't create a new attack vector, but rather it “misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications”.

The feature being misused is AMT's Serial-over-LAN (SOL), attractive to an attacker because it's independent of the host operating system.

It could be spotted by a separate standalone firewall, but it wouldn't be picked up by a host-based firewall. Another attraction to an attacker is that the embedded processor is designed to provide remote out-of-band capabilities like power cycling and KVM, even if the main processor is powered down.

SOL can also communicate over the LAN if a physical connection exists, regardless of whether networking is enabled on the host.

Microsoft also offers the hypothesis that if Platinum infected a system that didn't have AMT enabled, it could use stolen admin credentials and the technology's host-based provisioning to fire up a subset of AMT (including SOL) using its own credentials.

Whether using stolen credentials and full ATM access, or the limited access offered by a host-based provisioned machine, Platinum then exploited SOL to transfer malware over the LAN.

If you can exploit AMT's serial-over-LAN channel, the operating system won't see you

Microsoft says it worked with Intel to analyse the Platinum variant, and says Windows Defender ATP can detect the activity.

Intel's AMT got unwelcome attention in May, when critical vulnerabilities in the management technology first discovered in March became public. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook, Microsoft, Google among tender, caring tech giants on UK internet safety board

The kids are in good hands

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

Updated 'Leakage ... is visible in all Intel generations starting from first-gen Core CPUs'

Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix

Chipzilla patches firmware, drivers, SDKs

RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub

Analysis Plug pulled on SMT tech as software makers put security ahead of performance

Ex-Intel exec Diane Bryant exits Google cloud

Could Chipzilla replace Brian with a Bryant?

Deja-wooo-oooh! Intel chips running Windows potentially vulnerable to scary Spectre variant

SWAPGS can be abused to siphon sensitive secrets from kernel memory, patches already available

Google takes a page from Microsoft of old and revives browser ballot on Android

There's no place like Chrome, but... here are the other guys

Microsoft's Cortana booted off yet another service while Google and AWS get a bit catty over licensing shakeup

Roundup Also: Redmond buddies up with Reliance Jio Infocomm (no, not that Infocom)

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all