Activate Firmware Update Mode

From attackics
Jump to navigation Jump to search
Activate Firmware Update Mode
Technique
ID T0800
Tactic Inhibit Response Function
Data Sources Application logs, Sequential event recorder, Network protocol analysis, Packet capture
External Contributors Joe Slowik - Dragos
Asset Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay

Description

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.


Procedure Examples

  • The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E.1
  • The Industroyer SPIROTEC DoS module places the victim device into "firmware update" mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission.2

Mitigations

  • Communication Authenticity - Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
  • Access Management - All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.
  • Network Allowlists - Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.3
  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.3
  • Filter Network Traffic - Filter for protocols and payloads associated with firmware activation or updating activity.