Researchers investigating the Conti ransomware operation’s leaked conversations showed that teams inside the Russian cybercrime gang were actively working on firmware hacks. Conti coders had built proof-of-concept (PoC) code that used Intel’s Management Engine (ME) to overwrite flash and acquire SMM (System Management Mode) execution, as per chats between members of the cybercrime gang.
The ME provides out-of-band services, which is an embedded microprocessor in Intel chipsets that runs a micro-OS. Conti was fuzzing that component to see if there were any undocumented functions or instructions that they might use. Conti may then access the flash memory containing the UEFI/BIOS firmware, bypass write protections, and execute arbitrary code on the compromised system. The ultimate objective would be to implant an SMM with the greatest system privileges (ring-0) while remaining almost unnoticed by OS-level security mechanisms.
Contrary to TrickBot’s module, which targeted UEFI firmware holes to facilitate Conti attacks and was later carried out by the ransomware organization, the current discoveries suggest that the malicious engineers were attempting to identify new, unknown vulnerabilities in the ME. To carry out a firmware attack, ransomware actors would need to access the system using a common method such as phishing, exploiting a vulnerability, or launching a supply chain attack.
After gaining access to the ME, the attackers must devise an attack strategy based on which “out-of-write protection” regions they are permitted to access, which varies depending on the ME implementation and different restrictions/protections. According to Eclypsium, there might be either direct access to the BIOS region or access to alter the SPI Descriptor and relocate the UEFI/BIOS beyond the protected area.
There’s also the possibility that the ME doesn’t have access to either, in which case threat actors may use Intel’s Management Engine to force a boot from virtual media and bypass the SPI controller’s PCH safeguards. Conti may exploit this attack path to permanently brick PCs, obtain ultimate persistence, elude anti-virus and EDR detections, and circumvent all OS-layer security protections.
While the Conti organization appears to have ceased activities, many of its members have moved on to other ransomware operations, where they continue to strike. This also implies that all of the work done to build exploits like the one discovered by Eclypsium in the leaked conversations will be preserved. Conti has had a functioning PoC for these assaults since last summer, as per researchers, so it’s probable that they’ve already used it in a real attack.
The RaaS may resurface under a new name, the main members may join other ransomware operations, and the exploits will be exploited in the long run. Apply available firmware upgrades for your hardware, watch ME for configuration changes, and test the integrity of the SPI flash regularly to protect yourself from threats.
