How MetaDefender Kiosk Protects Against Device Firmware Upgrade Attacks

Removable Media is a security headache for many organizations, whether USBs, Memory Cards, External HDD, CD/DVDs or Mobile Phones. USB attacks in particular come in many different forms, and researchers at Ben-Gurion University identified 29 Different Types of USB-based Attacks. One of them is the Device Firmware Upgrade (DFU) attack which exploits "a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version," said Catalin Cimpanu.

In this blog we're going to simulate a DFU attack where an employee brings a USB drive containing a malicious firmware upgrade executable file into a corporate network, and how OPSWAT's MetaDefender Kiosk can help prevent this type of attack.

Developing the Attack

We will be utilizing msfvenom, a common exploit tool for generating and encoding payloads, with a few advanced options to generate a malicious firmware upgrade file.

Here we are simulating an attack with a C2 (Command-and-Control) server taking control over the victim's system when the malicious payload gets executed. The payload is encoded using shikata_ga_nai or SGN (in Japanese it means "nothing can be done") and we setup a C2 server specifying an IP/PORT for demonstration purposes.

Compromising a System

Let's take a real-world scenario where an employee downloads a compromised firmware upgrade file onto a USB from an untrusted third party and brings it into a company to use it.
What would happen if this USB drive were inserted into a system and executed by the user?
Well, the moment the employee plugs this USB drive into the system and runs it, this payload will connect back to the attacker-controlled machine or C2 server.

Let's see how it goes.

We've now got the shell command line screen from the victim machine and can execute any commands that we want from the C2 server as an attacker.

But the question is, whether there is something we can do to prevent this attack from happening?

How MetaDefender Kiosk Helps Prevent This Type of Attack?

MetaDefender Kiosk acts as a digital security guard inspecting all media for malware, vulnerabilities, and sensitive data before entering the corporation. The MetaDefender Kiosk is designed for installation at the physical entry point of secure facilities, or the entrance into an air-gapped network.

Now let's see it in action.

We're going to insert the USB drive which contains the DFU along with a malicious file into a MetaDefender Kiosk.

Now let's scan the whole USB Drive and observe the power of MetaDefender Kiosk.

Within a few seconds, we're presented with a nice report saying this firmware upgrade file is actually malicious, and that MetaDefender Kiosk has already blocked it.

As you can imagine, there is so much more that MetaDefender Kiosk can do to protect your OT/ICS (integrated control systems) and critical infrastructure environments against malware and zero-day attacks. Most of these environments are air-gapped and can only be updated through the use of portable media devices, which MetaDefender Kiosk can audit, scan, and cleanse before malware reaches a critical OT network. OPSWAT MetaDefender Kiosk utilizes top cyber threat thwarting technologies such as: Multi-scanning Engines, Boot Sector Scanning, Deep Content Disarm and Reconstruction (CDR), Proactive Data Loss Prevention (DLP), File-based Vulnerability Assessment and a Country of Origin Check to mitigate risks and reinforce compliance.

Other Related Blogs of Interest:

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.