Privacy News Intel management tools bypasses Windows firewall

[BoraMurdar]

According to Microsoft, a group by the name of PLATINUM has made use of Intel's Active Management Technology (AMT) - available on Intel's vPro processors and chipsets - to simply bypass the Windows Firewall entirely. Essentially, the group has a file transfer tool, which at its core uses the Serial-over-LAN (SOL) channel from within AMT for communication purposes. Since this channel is independent of the operating system, it allows for any communication through it to be " invisible to firewall and network monitoring applications running on the host device."

What needs to be said is that SOL, which "exposes a virtual serial device with a chipset-provided channel over TCP" is not enabled by default, and requires administrative privileges to actually run on the target workstations. Since the provisioning of such a channel is bound by the use of user credentials - username and password - the Redmond giant speculates that PLATINUM "might have obtained compromised credentials from victim networks".

The reason why AMT needs such low-level access has a lot to do with its actual function. The technology allows someone to remotely install operating systems on machines that don't have any, allows for the power cycling of devices, and thus provides a so-called "IP-based KVM solution" - where KVM is for keyboard, video and mouse - to accomplish the aforementioned tasks.

Check the video showing the procedure
PLATINUM activity group file-transfer method using Intel AMT SOL

There is some good news in all of this though, as computers making use of the Windows Defender ATP (Advanced Threat Protection) service - running Windows 10 version 1607 or later and Configuration Manager 1610 or later - can rest assured. The service is able to not only detect a "targeted attack activity" similar to PLATINUM's, but it can also "differentiate between legitimate usage of AMT SOL and targeted attacks attempting to use it as a communication channel."

 

[_CyberGhosT_]

What a nice advertisement for Windows Defender, coincidence or not, you have to admit it makes the case for
Microsoft's AV. I am still not freeing mine from it catatonic sleep.
Cool share Bora

 

[Parsh]

We've seen AMT ecosystem being exploited earlier-
Intel patches 9yr old critical vulnerability AMT
Intel vulnerability allows hackers to remotely control PCs
Agreed @_CyberGhosT_ a Small (-) and a Big (+) kind of marketing is obvious here from MS. A question to consider if at all, will be whether ATP from Defender has been capable of handle such an attack even before the reporting of attack or is it only when they fix something like this one, do they publish these reports to boast of?
Microsoft ATP has been advertised mainly as a 'Detect, Investigate and Respond' advanced protection strategy, something to remember.

 

[BoraMurdar]

If I was a hacker, I would surely try first to exploit up to date Windows with it's default security tools. So, every breach will have a Windows (updated to the moment of the exploit creation) as a start point of the attack, and as there's no way of knowing what part of the system is going to be exploted, if you are that unlucky to be one in the first lines...you're doomed anyway.
Until the next patch and over and over again

 

[_CyberGhosT_]

We've seen AMT ecosystem being exploited earlier-
Intel patches 9yr old critical vulnerability AMT
Intel vulnerability allows hackers to remotely control PCs
Agreed @_CyberGhosT_ a Small (-) and a Big (+) kind of marketing is obvious here from MS. A question to consider if at all, will be whether ATP from Defender has been capable of handle such an attack even before the reporting of attack or is it only when they fix something like this one, do they publish these reports to boast of?
Microsoft ATP has been advertised mainly as a 'Detect, Investigate and Respond' advanced protection strategy, something to remember.

Very valid point @Parsh , thank you brother