How realistic would it be for ransomware to successfully exploit weaknesses in the obscure firmware systems running inside PCs?
There’s certainly a lot of things to aim at, ranging from the UEFI BIOS that boots PCs to the many other barely-documented firmware running on chips most owners pay absolutely no attention to.
An unfortunate characteristic of firmware security has long been the flawed notion of security through obscurity. This states that as long as the inner workings of something remain hidden then attackers probably won’t chance upon any vulnerabilities it might have.
Unfortunately, as numerous hacks have demonstrated over the last two decades, that’s not how digital security works. If a vulnerability exists that’s worth exploiting, sooner or later someone will find it, no matter how obscure it seems.
Bang on cue, a new analysis by firmware security specialist Eclypsium has found that ransomware criminals connected to the Conti group have been researching precisely this kind of attack on Intel’s Management Engine (ME).
This is the latest revelation to emerge from the goldmine of Conti chats leaked earlier this year by someone disgruntled over the group’s support for the Russian invasion of Ukraine.
For those who don’t know, ME is a central component of a larger firmware management system called the Converged Security Management Engine (CSME).
Built into all PC motherboards using Intel microprocessors since 2008, ME is an independent subsystem used in corporate environments for remote updating and troubleshooting.
The word ‘independent’ is no exaggeration—ME is not simply a function, but a fully-fledged computer-within-a-computer, complete with its own microprocessor, memory, and Linux-based micro-kernel OS. It can also have its own IP address and hardware MAC ID.
In principle, it can even continue working even when a PC is turned off but plugged in. Needleless to say, researchers have worried about ME for years, not least because very little of its inner workings are clearly documented.
Few security programs monitor firmware, partly because it’s hard to do but also because documented firmware attacks are incredibly rare (or perhaps they’re rare because nobody monitors for them).
According to Eclypsium, Conti has been researching ways to target ME using various techniques, including software fuzzing (automated black box testing to see whether exploitable errors occur), trying to use the ME as a jumping off point to compromise the UEFI BIOS, and compromising the System Management Module (SMM) to gain privileges that would undermine OS (ring 0) security. The power and complexity of Intel’s firmware architecture is one reason it’s received fairly regular security patches in recent years.
Concludes Eclypsium: “Such a level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system.”
Eclypsium first mentioned the interest ransomware attackers had in compromising firmware two years ago, and the Conti chats show that this has not abated. Of course, researching, and successful compromising are not the same thing. Pulling off this type of attack would not be as easy as doing the same at the application level. But the rewards might be worth it for a high-value attack that provides complete invisibility and 100% persistence on infected machines.