It comes at no surprise attacks on ports related to Intel® AMT have risen after the recent disclosure of an escalation of privilege vulnerability in Intel® Active Management Technology (AMT) that can allow an unprivileged attacker to gain control of the manageability interface of the affected servers. This exploit has been dubbed “Silent Bob is Silent” and is shocking in its simplicity to perform. Intel has published a full mitigation guide to disable the attack vector until a permanent solution is in place.
Per Intel® documentation, the affected ports to monitor are 16992, 16993, 16994, 16995, 623, and 664. So, let’s review the recently dropped packets on those ports and where they’re coming from since the vulnerability was disclosed:
The good news is that it appears a majority of the dropped packets where from scanning services, such as the Shadowserver Foundation and Project Sonar. However the remaining attackers probably didn’t have good intentions in their attempt to get in
The bad news is after running the INTEL-SA-00075 Discovery Tool, I found one of my servers was affected.
I contacted the manufacturer of the motherboard, Super Micro Computer, Inc., and spoke with Application Engineer Kin Yan. He stated, “Our team is working on this BIOS update to fix this issue. The target release date of this BIOS is by the end of this month.” In the meantime he strongly recommended to disable Intel® AMT in the BIOS settings until the vulnerability was patched.