"Conti Ransomware Develops Proof-of-Concept Code for Firmware Attacks"

An examination of leaked Conti ransomware gang chats revealed that the cybercrime group was planning firmware attacks against the Intel Management Engine (ME). There are several implementations of the firmware, including the Intel Manageability Engine (before SkyLake), the Intel Converged Security and Management Engine (SkyLake and later), the Intel Trusted Execution Environment (Atom processors), and Server Platform Services (Server). Intel ME offers a number of features, including anti-theft protection and out-of-bound management. The compromise would allow threat actors to install a backdoor on Intel devices and execute commands without being detected by operating system-based security tools. Furthermore, the chats appear to confirm the link between the Conti ransomware gang and the Russian Foreign Service Bureau (FSB). The Conti ransomware group intended to exploit ME firmware to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system beneath the operating system via System Management Mode (SMM). According to the analysis, the attackers attempted to access SPI (i.e., the flash memory used by the UEFI/BIOS system firmware) from the ME to generically bypass other protection. This article continues to discuss the Conti ransomware group's developed proof-of-concept code for firmware attacks, the possible exploitation of the supply chain to deliver firmware malware, and firmware attack deployment scenarios.

CPO Magazine reports "Conti Ransomware Develops Proof-of-Concept Code for Firmware Attacks"