Not long ago, researchers at Eclypsium got a lucky break. An unknown and unidentified individual began leaking communications from inside the Conti ransomware organization.
These leaked communications seemed to confirm what has long been suspected: That there are strong ties between the Conti gang and Russia’s FSB (military intelligence).
This sounds like something right out of a spy movie, but it’s not. The leaked messages indicate that several members of the Conti gang have been actively working on developing a new attack vector that specifically targets Intel firmware, allowing Conti to launch its ransomware attack. Some of the black hat developers even got as far as to develop a working proof of concept for others to review.
Firmware attacks are fairly rare, but they do happen. To pull it off, the attacker would first need to access the system via a conventional in-road. For example, a phishing email where the victim would unwittingly give the hackers access, or perhaps by exploiting some other known vulnerability.
In one particularly exotic scenario, they could even make this attack work without prior access. They can do this by leveraging Intel’s Management Engine to force the target machine to reboot, then supply virtual media to draw from on the reboot.
It’s unlikely and would take a tremendous amount of skill, but Conti has shown in recent months that they have the expertise to pull something like that off.
Fortunately, word of the new attack vector has gotten out, the details have made their way to Intel, and Intel has updated their firmware.
If you’re using an Intel machine, you should grab the latest update as soon as possible. Conti is a well-known, notorious gang with ties to Russia. You don’t want your company in their crosshairs, so do everything you can do minimize that risk.