When you're a bad guy breaking into a network, the first problem you
need to solve is, of course, getting into the remote system and running
your malware on it. But once you're there, the next challenge is usually
to make sure that your activity is as hard to detect as possible.
Microsoft has detailed a neat technique
used by a group in Southeast Asia that abuses legitimate management
tools to evade firewalls and other endpoint-based network monitoring.
The group, which Microsoft has named PLATINUM, has developed a system
for sending files—such as new payloads to run and new versions of their
malware—to compromised machines. PLATINUM's technique leverages Intel's
Active Management Technology (AMT) to do an end-run around the built-in
Windows firewall. The AMT firmware runs at a low level, below the
operating system, and it has access to not just the processor, but also
the network interface.
The AMT needs this low-level access for some of the legitimate things
it's used for. It can, for example, power cycle systems, and it can
serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a
remote user to send mouse and keyboard input to a machine and see what's
on its display. This, in turn, can be used for tasks such as remotely
installing operating systems on bare machines. To do this, AMT not only
needs to access the network interface, it also needs to simulate
hardware, such as the mouse and keyboard, to provide input to the
operating system.
But this low-level operation is what makes AMT attractive for
hackers: the network traffic that AMT uses is handled entirely within
AMT itself. That traffic never gets passed up to the operating system's
own IP stack and, as such, is invisible to the operating system's own
firewall or other network monitoring software. The PLATINUM software
uses another piece of virtual hardware—an AMT-provided virtual serial
port—to provide a link between the network itself and the malware
application running on the infected PC.
Communication between machines uses serial-over-LAN traffic which is
handled by AMT in firmware. The malware connects to the virtual AMT
serial port to send and receive data. Meanwhile, the operating system
and its firewall are none the wiser. In this way, PLATINUM's malware can
move files between machines on the network while being largely
undetectable to those machines.
Enlarge / PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network stack and firewall.
AMT has been under scrutiny recently
after the discovery of a long-standing remote authentication flaw that
enabled attackers to use AMT features without needing to know the AMT
password. This in turn could be used to enable features such as the
remote KVM to control systems and run code on them.
However, that's not what PLATINUM is doing: the group's
malware requires AMT to be enabled and serial-over-LAN turned on before
it can work. This isn't exploiting any flaw in AMT; the malware just
uses the AMT as it's designed in order to do something undesirable.
Both the PLATINUM malware and the AMT security flaw require AMT to be
enabled in the first place; if it's not turned on at all, there's no
remote access. Microsoft's write-up of the malware expressed uncertainty
about this part; it's possible that the PLATINUM malware itself enabled
AMT—if the malware has Administrator privileges, it can enable many AMT
features from within Windows—or that AMT was already enabled and the
malware managed to steal the credentials.
While this novel use of AMT is useful for transferring files while
evading firewalls, it's not undetectable. Using the AMT serial port, for
example, is detectable. Microsoft says that its own Windows Defender
Advanced Threat Protection can even distinguish between legitimate uses
of serial-over-LAN and illegitimate ones. But it's nonetheless a neat
way of bypassing one of the more common protective measures that we
depend on to detect and prevent unwanted network activity.
0 comments:
Post a comment