Wednesday18 May 2022

Microsoft finds active exploit of Intel's AMT vulnerability

Reading time is around minutes.

Remote management and access tools are great things for IT staff to use, but if they are not set up correctly or they have bugs hidden in the code they can quickly become a nightmare. Intel’s AMT (Active Management Technology) suite of tools recently was found to have a rather nasty little surprise hidden in them. It seems that a flaw in the way their SOL (Serial on LAN) tool runs combined with the way Windows deals with AMT allowed attackers to use AMT to deploy malware and to exfiltrate data from a compromised system.

The flaw was announced on May 1st by Intel explaining what the flaw was and that they were working on a fix for it. The recommended that anyone using AMT take steps to protect those systems (we recommend shutting it off in the BIOS). What makes things more interesting is that our old friend Windows was there to help attackers out in gaining access to this tool over a LAN without any special tricks. A handy service called Local Manageability Service advertises AMT and its related tools via the systems assigned IP address. These tools are operational even when the system is powered off and are not visible to common security tools. You would still be able to see them with technology like Netflow or other network based systems that track traffic passing over your network, but you have to know to look for it, or it might be overlooked as simple background traffic.

To make things a little worse Microsoft is now claiming that a hacking group is actively exploiting this flaw. The claim is that a group dubbed PLATINUM is behind the attacks and could even be a Nation-State group (if their claims are true).

As things stand right now this affects most of the Intel CPUs out there and has been in place for around seven years. We have a feeling that other malicious groups are already aware of this flaw so the revelation from Microsoft is probably not going to be the last. We also have a feeling that most companies will never be fully protected from this as their workstation update policies are just not what they should be…

If you are interested, you can read Intel’s statement and see if there is a patch for your system.

Last modified on Friday, 09 June 2017 12:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.