Security Experts:

Connect with us

Hi, what are you looking for?



Leaks Show Conti Ransomware Group Working on Firmware Exploits

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.

The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees and HR problems.

An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.

Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.

According to Eclypsium, Conti developers have been fuzzing the ME interface in an attempt to find undocummented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.

The cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.

Eclypsium noted that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets, but warned that the main problem is related to organizations failing to regularly update chipset firmware.

The company’s researchers pointed out that more than a dozen Intel advisories published between 2017 and 2020 describe tens of high-impact ME vulnerabilities, including ones that allow arbitrary code execution and privilege escalation.

Once the attacker has gained access to the firmware, they could permanently brick the system. They could also use this access for persistence and for evading security products and device protections, capabilities that can be highly valuable to a group like Conti. Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

“Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago. As a result, we expect that these techniques will be used in the wild in the near future if they haven’t already,” Eclypsium warned.

The company has described several theoretical attack scenarios focusing on different protections and settings that the targeted system could have.

It was reported recently that the Conti brand has become toxic due to its affiliation with the Russian government — it was difficult for victims to pay ransoms due to sanctions against Russia. As a result, the organizational structure of the operation has been significantly changed and the Conti ransomware operation has apparently been shut down.

The threat actor seems to have switched to a more decentralized operation that includes several autonomous groups. While some of these groups do not use file-encrypting malware and rely solely on data theft to make a profit, others still leverage locker malware.

Firmware exploits such as the ones described by Eclypsium could be useful to both types of groups.

Related: QCT Servers Affected by ‘Pantsdown’ BMC Vulnerability

Related: BIOSConnect Flaws Haunt Millions of Dell Computers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.