Platinum hackers exploit Intel AMT-SOL for secure C&C communications

News by Rene Millman

A file-transfer mechanism that Microsoft describes as a feature rather than a bug is being exploited by the Platinum hacking group on targeted machines in south east Asia.

A group of hackers, dubbed Platinum, are using Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) to hide communications from the firewall.

The technology is used in Intel's network chips for remote management. AMT-SOL uses a virtual serial port to send and receive data from an authenticated management console.

This latest revelation follows news in May that Intel's AMT firmware contained a vulnerability that would enable an attacker to backdoor a system even when it was switched off.

Now, investigations by a Microsoft team of security researchers discovered that the Platinum hacker group has started using AMT-SOL to transfer data and make its communications virtually invisible to firewall and network monitoring products.

As communications run through this and not a system's networking stack, where firewalls would see and block traffic, this gives hackers an advantage.

But Microsoft was quick to point out, this does not take advantage of any vulnerability, rather it is a misuse of a handy feature in an already compromised network. A hacker would still need admin rights on infected systems.

The company added that the tool has only been seen in a handful of victim computers within organisational networks in Southeast Asia. And the researchers added, “Platinum is known to customise tools based on the network architecture of targeted organisations.”

It said that the AMT SOL feature is not enabled by default and requires administrator privileges to provision for usage on workstations.

“It is currently unknown if Platinum was able to provision workstations to use the feature or piggyback on a previously enabled workstation management feature. In either case, Platinum would need to have gained administrative privileges on targeted systems prior to the feature's misuse,” said researchers.

Microsoft said that if a hacker with access to AMT credentials attempts to use the SOL communication channel on a computer running Windows Defender ATP, behaviour analytics coupled with machine learning can detect the targeted attack activity.

“The Platinum tool is, to our knowledge, the first malware sample observed to misuse chipset features in this way. While the technique used here by Platinum is OS independent, Windows Defender ATP can detect and notify network administrators of attempts to leverage the AMT SOL communication channel for unauthorised activity, specifically when used against a computer running Windows,” they said.

Mark James, security specialist at ESET, told SC Media UK that as malware gets more sophisticated so do the measures to defeat it. The people who write and develop malware are always on the lookout for means to install, spread or distribute the software they use and any technique that is “under the radar” or unconventional will stand a higher chance of succeeding in its initial campaign. 

“In this case, utilising an already established communication channel could increase the infection rate and keep it under the radar, but this is also bad for the companies that use AMT. These companies will need to ensure that monitoring those channels is one of their top priorities,” he said.

“Of course, if you are not using AMT for your own purposes then [ensure] it's disabled in the BIOS or from a software level. Layering your defences with a good internet security program on your endpoints and servers will help detect any anomalies. However, bear in mind that currently for this type of compromise to happen the network would already need to be compromised and in most cases AMT SOL is disabled by default.”

Andrew Clarke, EMEA director for One Identity, told SC that this demonstrates the continuing arms race between the potential attacker and organisations. 

“In this case, the PLATINUM malware makes use of a legitimate management tool, Intel Active Management Technology (AMT), to evade standard defence mechanisms such as firewalls and endpoint security,” he said.

“The malware is just using AMT to provide remote access as it is designed to. The only options for an organisation is to not have AMT enabled and to turn off serial-over-LAN communications. It is possible that the malware turned on AMT, particularly if it has administrative privileges within Windows. Effectively managing access to privileged accounts is a must-do factor in the overall arms race.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews