This type of attack scenario — codenamed HVACKer by its creators — relies on custom-built malware that is capable of interacting with a computer’s thermal sensors to read temperature variations and convert these fluctuations into zeros and ones — binary code.
HVACKer attacks are only useful for relaying commands into an air-gapped network, but not for stealing data. According to tests carried out by the research team, they were able to send data inside an air-gapped network via HVAC systems at bit rates of 40 bits per second, a more than acceptable transmission speed.
In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics.
Researchers say the malware deployed with CCleaner would deploy a second backdoor trojan whenever the computer was on a corporate domain matching a simple filter. According to data researchers retrieved from the malware's C&C server, attackers targeted companies such as Intel, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Singtel, HTC, Samsung, Sony, Gauselmann, and even the almighty Microsoft and Google (Gmail).
Both Avast and Cisco say C&C data suggest that attackers compromised over 700,000 users with the first stage malware (that collected user info), and only 20 computers with the second stage backdoor. Attackers did not target any company from China or Russia. The first stage malware shared code with malware used in the past by Axiom/APT17, and the C&C server was configured to use a Chinese timezone.
By turning the voltage up and down with one thread, researchers were able to flip bits in another thread. By flipping bits when the second thread was verifying the TrustZone key, the researchers were granted permission.
If number 'A' is a product of two large prime numbers, you can flip a few bits in 'A' to get a number that is a product of many smaller numbers, and more easily factorable. This is what the researchers did.