2018-07-05
在东南亚运作的Platinum APT组织利用英特尔芯片的功能,将恶意软件和漏洞加载到受感染的机器上。
上周四,微软发布了对Platinum组织的最新研究报告,该组织热衷于使用以前未开发的资源攻击计算机并规避检测。
在2016年4月,微软介绍了Platinum如何利用Windows Server 2003(Windows 8已经将其删除)引入的热补丁(hotpatching)功能,以便在运行的进程中注入恶意代码。Platinum的目标主要是战略性的,包括政府机构、国防承包商和情报机构,以及电信等关键行业。
微软表示,Platinum的一个文件传输工具能够利用英特尔主动管理技术(AMT),特别是其串行LAN(Serial-over-LAN,简称SOL)通信通道,在目标机器上运行恶意代码。微软和英特尔表示,这是APT组织首次以这种方式利用芯片组。
微软表示:“该通道独立于操作系统,通过其上的任何通信不会被主机设备上运行的防火墙和网络监控程序发现。在该事件之前,我们没有发现任何恶意软件利用AMT SOL功能进行通信。”
微软将调查结果告知了英特尔。两家公司表示,这不是AMT的漏洞,而是属于其功能的滥用。巧合的是,他们在5月初披露了一个严重的AMT提权漏洞,该漏洞允许攻击者远程访问和完全控制受感染的机器,但它与该事件无关。
微软在报告中表示,它仅在少数机器上发现了文件传输工具。
微软表示,该攻击有先决条件:因为AMT是默认关闭的,因此攻击者需要获得管理员权限。
微软表示:“目前尚不清楚,Platinum能否配置工作站来使用其功能,或者搭载以前启用的工作站管理功能。无论哪种情况,在利用功能之前,Platinum都需要在目标系统上获得管理员权限。”
AMT功能存在于Intel vPro处理器和芯片上,用于远程管理。SOL通过TCP公开一个虚拟串行设备,并独立于主机服务器上运行的操作系统和网络。只要主机设备以物理方式连接到网络,AMT和SOL就能够利用英特尔管理引擎的网络堆栈进行通信。因为它绕过主机服务器的网络堆栈,因此不会被主机上的防火墙阻止。主机不会发现任何恶意流量,服务器上运行的任何杀毒软件或入侵检测软件也不会。
微软表示,Platinum自2009年以来一直在亚洲活跃,并非常谨慎地保密其攻击工具,包括零日漏洞。
一年多前,研究人员披露Platinum利用Windows热补丁功能。他们利用该功能,将恶意代码注入到运行的进程中,而无需重启受感染的服务器。像SOL一样,热补丁功能需要管理员权限,这意味着攻击者必须首先感染机器。
与许多其他APT组织一样,该组织利用网络钓鱼活动在网络上创建据点。Platinum使用受感染的Office文档,利用未修复和已知的漏洞将后门程序和其他代码安装到受感染的机器上。
《Platinum APT First to Abuse Intel Chip Management Feature》
https://threatpost.com/platinum-apt-first-to-abuse-intel-chip-management-feature/126166/
June 9, 2017 , 12:46 pm
Advanced attackers operating in Southeast Asia are abusing a feature in Intel chips to quietly load malware and exploits onto compromised machines.
Microsoft on Thursday published its latest research into a group it calls Platinum, which is keen on using previously untapped resources to stealthily attack computers and avoid detection.
In April 2016, Microsoft described how Platinum was using a hotpatching feature introduced in Windows Server 2003 (and removed by Windows 8) to inject malicious code in running processes. Platinum’s targets are largely strategic: government agencies, defense contractors and intelligence agencies, along with critical industries such as telecommunications.
Now, Microsoft says, Platinum has a file-transfer tool that makes use of Intel Active Management Technology (AMT), specifically its Serial-over-LAN (SOL) communication channel, to get malicious code running on a targeted machine. This is a first where an APT is abusing chipsets in this way, Microsoft and Intel said.
“This channel works independently of the operating system, rendering any communication over it invisible to firewall and network monitoring applications running on the host device,” Microsoft said. “Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.”
Microsoft informed Intel of its findings, and the two companies said that this isn’t a vulnerability in AMT, but an abuse of its capabilities. Coincidentally, a serious elevation of privilege vulnerability in AMT was disclosed in early May that allowed an attacker remote access and full control over compromised machines, but this is unrelated, the two companies said.
Microsoft said in its report that it discovered the file-transfer tool only on a handful of machines.
The attack has some pre-requisites, Microsoft said, primarily because AMT is off by default and requires admin privileges.
“It is currently unknown if PLATINUM was able to provision workstations to use the feature or piggyback on a previously enabled workstation management feature,” Microsoft said. “In either case, PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature’s misuse.”
The AMT feature is present on Intel vPro processors and chips and is used for remote management. The SOL feature exposes a virtual serial device over TCP, and works independent of the OS and networking running on the host server. AMT and SOL by extension makes use of the Intel Management Engine’s networking stack to communicate as long as the host device is physically connected to the network. Because it bypasses the host server’s networking stack, it can’t be blocked by the firewall on the host. The host never sees any of the malicious traffic, and by extension, neither does any of the antimalware or intrusion detection software running on the server.
Microsoft said Platinum has been active in Asia since 2009, and keeps its use of attack tools—including zero days—close to the vest.
Platinum’s abuse of Windows hotpatching was disclosed more than a year ago. The feature was abused to inject malicious code into running processes without having to reboot the compromised server. Like SOL, hotpatching requires admin privileges meaning the attackers must have previously compromised the box in order to carry out this phase of the attack.
The group, like many other APTs, uses spear phishing campaigns to gain an initial foothold on a network. Platinum uses infected Office documents targeting unpatched and known vulnerabilities to install backdoors and other code onto compromised machines.
附件:
《Platinum APT First to Abuse Intel Chip Management Feature》--原文.pdf
《Platinum APT First to Abuse Intel Chip Management Feature》--译文.pdf
微信公众号