A special feature of Intel CPUs is being exploited by cyberespies to steal data
The Microsoft security team has discovered a family of malware used by a prominent cyber-espionage group called PLATINUM, which takes advantage of an Intel processor feature to bypass firewall security and steal data. Yes, a characteristic, not a failure or vulnerability, at least not in the strict sense of the word.
This malware family uses the SOL (Serial-over-LAN) function of Intel Active Management Technology (AMT) as a file transfer tool. And thanks to the way in which this technology works, it is capable of exceeding the network interface of the local computer so that neither the firewall nor any installed security product can detect it.
Intel Active Management Technology (AMT) is part of the Intel Management Engine (ME). Basically a rather dark technology that Intel has developed in its processors, and that makes the chips have a subsystem completely independent of the operating system installed on the computer.
Intel allows me, among other things, to manage computers remotely. Intel ME runs even when the main processor is turned off , and has been created by the company to offer remote management capability to companies that handle large networks with hundreds or thousands of computers.
As the SOL AMT interface runs inside Intel ME, it is separated from the operating system and remains functional as long as the computer is physically connected to the network, even if it is turned off.
Microsoft has discovered malware created by PLATINUM that abuses the SOL AMT interface to steal data from infected computers. Although the function in the processors is not active by default, it has been detected in malware that affected organizations and government agencies in Asia.
In its report, Microsoft has also said that they were able to identify clues in the way malware operates that allow Windows Defender to detect it before accessing and start the SOL AMT interface, which gives companies a warning about possible infection. Intel has only said that the PLATINUM group is not taking advantage of any vulnerability in the interface.