Hello, welcome to the Monday, June 12th, 2017 edition of the Sands and Storm Center's Stormcast. My name is Johannes Ulrich and the

I'm recording from Washington, D.C. According to Kerspersky, the recent Samba remote code execution vulnerability

is being exploited in order to install Bitcoin miners on vulnerable devices.

Now, this vulnerability has often been compared to the Eternal Blue or Wanna Cry vulnerability

that, of course, affected Windows SMB.

In this particular case, however, the attacker first does need to be able to log into the

system and does need to be able to upload a file to the system. So while there are hundreds of

thousands of Samba systems that are exposed to the internet, only few of them are actually exploitable, and Kaspersky detected

this exploit in a honeypot that was specifically set up to be vulnerable. And Microsoft is

reporting about an interesting covert channel that it found. It was used as part of an advanced hacking campaign

that Microsoft calls Platinum. Now, in this particular case, the Malaver used Intel's active

management technology or AMT in order to communicate with other systems on the network.

Now, AMT was recently in the news due to a vulnerability.

This is not related at all to this vulnerability.

The attacker here was really just taking advantage of this particular feature and using it as

a covert channel.

Again, the protocol they're using here is serial

over LAN. And of course, since AMT is its own little system, it does work even if the system

is powered down and it's not restricted or monitored by the operating system. So, for example, host-based firewalls will not block this communication.

Now Microsoft does go into some detail in how this particular covert channel is implemented,

and also how to detect any software running on a system that is using AMT.

So this particular cover channel is something you would find on a system that's already thoroughly compromised.

...