Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Leaks Show Conti Ransomware Group Working on Firmware Exploits

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

The recent Conti leaks show that the notorious ransomware group has been working on firmware exploits targeting the Intel Management Engine (ME) system.

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code.

The leaked information showed that the cybercrime gang operated just like a regular company, with contractors, employees and HR problems.

An analysis of the leaked chats conducted by firmware and hardware security company Eclypsium showed that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME.

Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection.

According to Eclypsium, Conti developers have been fuzzing the ME interface in an attempt to find undocummented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel.

The cybercriminals’ conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies.

Eclypsium noted that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets, but warned that the main problem is related to organizations failing to regularly update chipset firmware.

The company’s researchers pointed out that more than a dozen Intel advisories published between 2017 and 2020 describe tens of high-impact ME vulnerabilities, including ones that allow arbitrary code execution and privilege escalation.

Once the attacker has gained access to the firmware, they could permanently brick the system. They could also use this access for persistence and for evading security products and device protections, capabilities that can be highly valuable to a group like Conti. Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

“Leaked conversations indicate that the Conti group had already developed proof-of-concept code for these methods nine months ago. As a result, we expect that these techniques will be used in the wild in the near future if they haven’t already,” Eclypsium warned.

The company has described several theoretical attack scenarios focusing on different protections and settings that the targeted system could have.

It was reported recently that the Conti brand has become toxic due to its affiliation with the Russian government — it was difficult for victims to pay ransoms due to sanctions against Russia. As a result, the organizational structure of the operation has been significantly changed and the Conti ransomware operation has apparently been shut down.

The threat actor seems to have switched to a more decentralized operation that includes several autonomous groups. While some of these groups do not use file-encrypting malware and rely solely on data theft to make a profit, others still leverage locker malware.

Firmware exploits such as the ones described by Eclypsium could be useful to both types of groups.

Related: QCT Servers Affected by ‘Pantsdown’ BMC Vulnerability

Related: BIOSConnect Flaws Haunt Millions of Dell Computers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.