"Leaks Show Conti Ransomware Group Working on Firmware Exploits"

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.  Researchers from Eclypsium analyzed the leaked information and stated that the information showed that the cybercrime gang operated just like a regular company, with contractors, employees, and HR problems.  The researchers also found that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.  Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.  According to the researchers, Conti developers have been fuzzing the ME interface in an attempt to find undocumented commands and flaws, and they were trying to generically bypass protections.  The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.  The researchers also noted that the cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.  The researchers stated that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets but warned that the main problem is related to organizations failing to update chipset firmware regularly.  The researchers stated that once the attacker has gained access to the firmware, they could permanently brick the system.  They could also use this access for persistence and evading security products and device protections, which can be highly valuable to a group like Conti.  Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

 

SecurityWeek reports: "Leaks Show Conti Ransomware Group Working on Firmware Exploits"

Submitted by Anonymous on