Conti leaks disclose details of firmware-based attacks
A thorough analysis of leaked online chats from the notorious Conti ransomware operation earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices.
Firmware and hardware security firm Eclypsium said in a report:
Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals.
Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system.
Specifically, this includes cyberattacks aimed at embedded microcontrollers such as the Intel Management Engine (ME), a privileged component that's part of the firm's processor chipsets and which can completely bypass the operating system.
It's worth noting that the reason for this evolving focus is not because there are new security vulnerabilities in Intel chipsets, but rather it banks on the possibility that "organizations do not update their chipset firmware with the same regularity that they do their software or even the UEFI/BIOS system firmware."
he conversations among the Conti members, which leaked after the group pledged its support to Russia in the latter's invasion of Ukraine, have shed light on the syndicate's attempts to mine for vulnerabilities related to ME firmware and BIOS write protection.
This entailed finding undocumented commands and vulnerabilities in the ME interface, achieving code execution in the ME to access and rewrite the SPI flash memory, and dropping System Management Mode (SMM)-level implants, which could be leveraged to even modify the kernel.
By shifting focus to Intel ME as well as targeting devices in which the BIOS is write protected, attackers could easily find far more available target devices.
Furthermore, control over the firmware could also be exploited to gain long-term persistence, evade security solutions, and cause irreparable system damage, enabling the threat actor to mount destructive attacks as witnessed during the Russo-Ukrainian war.
The Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools.
The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems.
In the same time, a ransomware operation that uses the LockBit 2.0 ransomware claims to have hit Foxconn Baja California and is threatening to release leaked information on June 11, unless the victim pays up.