Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls
-
Not knowing that much about how pfSense/pfBlockerNG works, I was wondering if pfSense somehow blocks in/out going data from Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface that bypasses the local computer's networking stack. I am not sure how you would setup pfSense to block such computer intrusions. It seems that if AMT/SOL can send out data, that pfSense will allow traffic to pass in both directions.
Any insight about this? Thanks.
https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/
-
I would doubt that pfSense ever sees those packages, as it seems they're routed directly to AMT.
Have a look here.
http://thehackernews.com/2017/06/intel-amt-firewall-bypass.htmlSeems like the best you can do is disable AMT in your Bios
/Bingo
-
Since my pfSense is running on an external controller, it seems that it would see it. Reading about this further, AMT is supposedly disabled on all Intel systems and must be activated using some kind of Intel software or firmware. I guess there isn't anything to really worry about, unless hackers have found a way to remotely activate it on other computers. It would be nice to discover what ports AMT uses, if any, to be able to permanently block them.