Leaks Show Conti Ransomware Group Working on Firmware Exploits

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.

The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees and HR problems.

An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.

Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.

According to Eclypsium, Conti developers have been fuzzing the ME interface in an attempt to find undocummented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.

The cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.

Eclypsium noted that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets, but warned that the main problem is related to organizations failing to regularly update chipset firmware.

The company’s researchers pointed out that more than a dozen Intel advisories published between 2017 and 2020 describe tens of high-impact ME vulnerabilities, including ones that allow arbitrary code execution and privilege escalation.

Once the attacker has gained access to the firmware, they could permanently brick the system. They could also use this access for persistence and for evading security products and device protections, capabilities that can be highly valuable to a group like Conti. Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

“Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago. As a result, we expect that these techniques will be used in the wild in the near future if they haven’t already,” Eclypsium warned.

The company has described several theoretical attack scenarios focusing on different protections and settings that the targeted system could have.

It was reported recently that the Conti brand has become toxic due to its affiliation with the Russian government — it was difficult for victims to pay ransoms due to sanctions against Russia. As a result, the organizational structure of the operation has been significantly changed and the Conti ransomware operation has apparently been shut down.

The threat actor seems to have switched to a more decentralized operation that includes several autonomous groups. While some of these groups do not use file-encrypting malware and rely solely on data theft to make a profit, others still leverage locker malware.

Firmware exploits such as the ones described by Eclypsium could be useful to both types of groups.

Related: QCT Servers Affected by ‘Pantsdown’ BMC Vulnerability

Related: BIOSConnect Flaws Haunt Millions of Dell Computers