Why I Am Not A Fan of Software Firewalls

Microsoft has detailed an attack by an Asian hacking group that can evade the Windows (or likely any other OS) Firewall.  That is because the attack operates at a level below the operating system.   Microsoft has dubbed the group PLATINUM.

The attack leverages a known flaw in the Intel Management Platform called Active Management Technology or AMT. The recently announced flaw goes back to 2010 and there is no telling how many hackers and nation states knew about it before Intel announced it.  Tenable Security discovered the flaw before Intel announced it, so it is likely that others knew about it also.

While Intel announced a firmware  update a month ago, given how hard it is to get companies to simply install patches that Microsoft releases (like those that would have prevented WannaCry), you can only guess how long it will take companies to reflash the firmware on AMT enabled PCs – likely never.

AMT is a technology that allows companies to remotely manage PCs.  As such, it runs underneath the operating system and has access to the hardware, network and firmware, pretty much doing anything the attacker wants.  Including the mouse and keyboard.

Most of the time companies do not make AMT open to the Internet, so an attack would need to start from the inside, i.e. this would need to be a secondary attack, but realistically, that is not so hard.  However, probes have shown that, unfortunately, some companies have enabled it publicly.

According to one security expert, he could exploit the flaw using 5-10 lines of Python code.  In about 15 minutes.

Now back to the subject line of the post.

While this attack will totally and completely neuter a Windows Firewall, it would have no effect on an external hardware firewall.

Obviously, the AMT flaw is much bigger than bypassing a Windows Firewall.  Now that this AMT exploit is known, any attack that manages to get into the enterprise, say with a social engineering attack and the ability to write 5-10 lines of Python code will be able to do a lot of damage.

Now for the good news.  Most consumer grade PCs do not have AMT capabilities.  It may exist in the hardware, but if it is, it is turned off to distinguish the consumer PC as a lower grade product.  Alos many small business computers will not have AMT enabled, so any attacks would be aimed at large businesses and government organizations.  I am not sure that makes me feel better.

Intel has released a tool that will allow companies to test if their computers have AMT enabled and if that version of AMT has the bug.

Information for this post came from Dark Reading and Ars Technica.

Leave a Reply

Your email address will not be published.