Security

Vxers exploit Intel's Active Management for malware-over-LAN

Platinum attack spotted in Asia, needs admin credentials

By Richard Chirgwin

6 SHARE

Microsoft is warning against a new way to exploit Intel's Active Management Technology, this time to pass messages between infected machines over business LANs.

So far, Microsoft says, the attack (which uses a variant of 2016's Platinum file transfer tool) has only been spotted in Asia, and fortunately it can only be exploited if an attacker tricks a sysadmin into providing administrative credentials.

As Redmond points out, the new wrinkle doesn't create a new attack vector, but rather it “misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications”.

The feature being misused is AMT's Serial-over-LAN (SOL), attractive to an attacker because it's independent of the host operating system.

It could be spotted by a separate standalone firewall, but it wouldn't be picked up by a host-based firewall. Another attraction to an attacker is that the embedded processor is designed to provide remote out-of-band capabilities like power cycling and KVM, even if the main processor is powered down.

SOL can also communicate over the LAN if a physical connection exists, regardless of whether networking is enabled on the host.

Microsoft also offers the hypothesis that if Platinum infected a system that didn't have AMT enabled, it could use stolen admin credentials and the technology's host-based provisioning to fire up a subset of AMT (including SOL) using its own credentials.

Whether using stolen credentials and full ATM access, or the limited access offered by a host-based provisioned machine, Platinum then exploited SOL to transfer malware over the LAN.

If you can exploit AMT's serial-over-LAN channel, the operating system won't see you

Microsoft says it worked with Intel to analyse the Platinum variant, and says Windows Defender ATP can detect the activity.

Intel's AMT got unwelcome attention in May, when critical vulnerabilities in the management technology first discovered in March became public. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Ex-Intel exec Diane Bryant exits Google cloud

Could Chipzilla replace Brian with a Bryant?

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Yubico snatched my login token vulnerability to claim a $5k Google bug bounty, says bloke

USB gizmo biz apologies amid infosec drama

Google's PHP API client has XSS vulnerability

Patch promised

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

Microsoft works weekends to kill Intel's shoddy Spectre patch

Out-of-band patch may assuage user anger over Intel crudware, closed-club disclosure process

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Pact of silence questioned