Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Leaks Show Conti Ransomware Group Working on Firmware Exploits

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.

The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees and HR problems.

An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.

Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.

According to Eclypsium, Conti developers have been fuzzing the ME interface in an attempt to find undocummented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.

The cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.

Eclypsium noted that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets, but warned that the main problem is related to organizations failing to regularly update chipset firmware.

Advertisement. Scroll to continue reading.

The company’s researchers pointed out that more than a dozen Intel advisories published between 2017 and 2020 describe tens of high-impact ME vulnerabilities, including ones that allow arbitrary code execution and privilege escalation.

Once the attacker has gained access to the firmware, they could permanently brick the system. They could also use this access for persistence and for evading security products and device protections, capabilities that can be highly valuable to a group like Conti. Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

“Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago. As a result, we expect that these techniques will be used in the wild in the near future if they haven’t already,” Eclypsium warned.

The company has described several theoretical attack scenarios focusing on different protections and settings that the targeted system could have.

It was reported recently that the Conti brand has become toxic due to its affiliation with the Russian government — it was difficult for victims to pay ransoms due to sanctions against Russia. As a result, the organizational structure of the operation has been significantly changed and the Conti ransomware operation has apparently been shut down.

The threat actor seems to have switched to a more decentralized operation that includes several autonomous groups. While some of these groups do not use file-encrypting malware and rely solely on data theft to make a profit, others still leverage locker malware.

Firmware exploits such as the ones described by Eclypsium could be useful to both types of groups.

Related: QCT Servers Affected by ‘Pantsdown’ BMC Vulnerability

Related: BIOSConnect Flaws Haunt Millions of Dell Computers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.