A group of advanced hackers called which is named Platinum uses Intel technology to communicate invisibly to infected systems and networks.
The attack does not require an enabled network card.
Last year, the hacker group was already in the news because of the use of “hotpatching”, hotpatching is an attack that injects code in processes without having to restart a process. It was the first time that this technique was seen.
According to Microsoft, the group has a new lead, namely the use of Intel Active Management Technology (AMT) Serial-Over-LAN (SOL) as a communication channel. This channel works independently of the operating system, which means that all communication involved is invisible to firewalls and monitoring tools on the host.
Active Management Technology (AMT) allows remote management of systems and is part of Intel vPro processors and chipsets.
It runs on the Intel Management Engine (ME), which runs its own operating system to run on an embedded processor in the chipset.
Since this embedded processor is separate from the primary Intel processor, it can be active even if the main processor is disabled. This way, it is also possible to remotely manage remote systems.
AMT features a Serial-over-LAN (SOL) feature that enables a virtual serial device via TCP to be sent.
This functionality works independently of the operating system and network layer on the computer. The Management Engine uses its own network layer and has access to the hardware network interface.
Even if the host card is disabled, SOL will continue to function as long as the system is physically connected to the network.
Through this backdoor, as Microsoft calls it, the attackers can communicate invisibly with the system and copy files.
Further investigation has shown that the backdoor does not abuse any other Intel technology vulnerabilities.