Microsoft has discovered a new version of PLATINUM’s file transfer tool. The new tool uses Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication.
The tool bypasses the operating system. Thus, it renders the firewall useless. However, Windows Defender can apparently detect suspicious uses of the protocol. This is possible through machine learning. It then displays a notification to the administrator.
Microsoft claims there has been no instance of this feature being exploited until now. According to Microsoft, the hack does not expose a vulnerability in AMT.
We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.
AMT Serial-over-LAN (SOL) communication channel
Active Management Technology (AMT) is used for remote management. Intel provides it as a feature of vPro™ processors and chipsets. AMT runs in the Intel Management Engine (ME) on its own operating system on a separate embedded chipset. The process can run independently of the main CPU to provide remote administration capabilities such as remote power-cycling and keyboard, video, and mouse control (KVM).
AMT has a Serial-over-LAN (SOL) feature that exposes a virtual serial device with a chipset-provided channel over TCP.
This functionality works independently of the device host operating system networking stack. The engine makes use of its own networking stack and has access to the hardware network interface. This means that even if networking is disabled on the host, SOL will still function as long as the device is physically connected to the network.
What you can do
There is some good news in all of this though, as computers making use of the Windows Defender ATP (Advanced Threat Protection) service – running Windows 10 version 1607 or later and Configuration Manager 1610 or later – can rest assured. The service is able to not only detect a “targeted attack activity” similar to PLATINUM’s, but it can also “differentiate between legitimate usage of AMT SOL and targeted attacks attempting to use it as a communication channel.
Furthermore, to enable SOL functionality, the device AMT must be provisioned. Also, establishing a SOL session requires a username and password. One possibility is that PLATINUM might have obtained compromised credentials from victim networks. Another possibility is that PLATINUM, once they obtained administrative privileges on the system, proceeded to provision AMT.
Microsoft provided a video that demonstrates how the exploit is executed. You can check out the video below.