As per the Leaks, Conti Ransomware Gang Working on Firmware Exploits
As per the recent news, we came to know from the Conti leaks, which revealed that the renowned ransomware organization has been developing firmware attacks for the Intel Management Engine (ME) technology. A Ukrainian hacker began publishing material taken from the cybercrime organization in late February after Conti showed support for Russia during its invasion of Ukraine. The information included chat logs, credentials, email addresses, C&C server details, and malware source code.
Moreover, the evidence revealed that the cybercrime ring ran like any other business, with contractors, workers, and HR issues. The Conti Group has been researching firmware-based attacks, notably those targeting Intel ME, according to a study of the stolen chats undertaken by firmware and hardware security startup Eclypsium.
As per the sources, it states that Intel ME includes capabilities such as out-of-band management and anti-theft security for computers with Intel processors. Conti developers, according to Eclypsium, have been prefetching the ME interface in an attempt to identify undocumented commands and weaknesses, as well as trying to circumvent security in general. The hackers were also considering developing a System Management Mode (SMM) implant that would enable them to tweak the kernel without being detected.
Conversations amongst the cybercriminals suggested that they were also looking at research made public by prominent Russian cybersecurity firms. Eclypsium stated that no new or unpatched vulnerabilities have been detected in Intel chipsets, but advised that the biggest issue is businesses neglecting to update chipset firmware regularly.
We also came to know that more than a dozen Intel warnings released between 2017 and 2020, according to the company’s experts, identify tens of high-impact ME issues, including ones that allow uncontrolled execution of code and privilege escalation. The intruder could completely damage the system if they acquire access to the firmware. They might also exploit this access to maintain persistence and evade security solutions and device protections, all of which are valuable capabilities for an organization like Conti. Malicious hackers can profit from firmware-based longevity by reselling credentials to other threat actors or releasing more ransomware packages at a later time. The company has presented several hypothetical attack scenarios that focus on various defenses and settings that the targeted machine may have.
According to recent reports, it claims that the Conti brand has grown toxic as a result of its ties to the Russian government. Due to Russian sanctions, victims found it impossible to pay ransoms. As a result, the operation’s organizational structure has been dramatically altered, and the Conti ransomware operation appears to have been shut down.
Furthermore, the threat actor appears to have moved to a decentralized operation involving multiple autonomous organizations. While some of these organizations don’t use file-encrypting software and instead rely entirely on data theft to gain money, others continue to use locker malware. Firmware exploits like those reported by Eclypsium could be beneficial to both sorts of organizations.