• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 826 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    battles
    last edited by Jun 9, 2017, 12:50 PM

    Not knowing that much about how pfSense/pfBlockerNG works, I was wondering if pfSense somehow blocks in/out going data from Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface that bypasses the local computer's networking stack.  I am not sure how you would setup pfSense to block such computer intrusions.  It seems that if AMT/SOL can send out data, that pfSense will allow traffic to pass in both directions.

    Any insight about this?  Thanks.

    https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

    pfSense 2.3.4-RELEASE-p1 (i386)
    FreeBSD 10.3-RELEASE-p19
    pfBlockerNG 2.1.2_1
    Snort Security 3.2.9.5_3
    Intel(R) Atom(TM) CPU N270 @ 1.60GHz

    1 Reply Last reply Reply Quote 0
    • B
      bingo600
      last edited by Jun 11, 2017, 7:45 PM

      I would doubt that pfSense ever sees those packages, as it seems they're routed directly to AMT.

      Have a look here.
      http://thehackernews.com/2017/06/intel-amt-firewall-bypass.html

      Seems like the best you can do is disable AMT in your Bios

      /Bingo

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      1 Reply Last reply Reply Quote 0
      • B
        battles
        last edited by Jun 12, 2017, 12:12 AM

        Since my pfSense is running on an external controller, it seems that it would see it.  Reading about this further, AMT is supposedly disabled on all Intel systems and must be activated using some kind of Intel software or firmware.  I guess there isn't anything to really worry about, unless hackers have found a way to remotely activate it on other computers.  It would be nice to discover what ports AMT uses, if any, to be able to permanently block them.

        pfSense 2.3.4-RELEASE-p1 (i386)
        FreeBSD 10.3-RELEASE-p19
        pfBlockerNG 2.1.2_1
        Snort Security 3.2.9.5_3
        Intel(R) Atom(TM) CPU N270 @ 1.60GHz

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received