No announcement yet.

USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks

  • Filter
  • Time
  • Show
Clear All
new posts

  • USB-Bootkit – New Bookit via USB Interface in Supply Chain Attacks

    Sunday from 10:00 – 11:50 in Sunset 4 at Planet Hollywood
    Audience: Offense, Defense and Hardware. Haowen Bai

    USB-Bootkit, a new type of Bootkit via the USB interface, contains malicious code inside the USB device that gets executed every time the system boots up. The malicious device, located either on the motherboard or inside external HID devices such as the keyboard, is invisible to ordinary users and capable to re-infect the system after the OS getting reinstalled, the hard drive being formatted or even replaced.

    In order to make it looks innocuous, we implanted the USB-Bootkit inside a keyboard without changing the outward appearance. Supply chain attacks could be leveraged to replace the device and modify boot sequences accordingly. Once it is used by the target, we are able to carry out attacks persistently. Legacy and UEFI mode are covered in one USB to adapt the target system automatically. In the demonstration, the attack originates from the malicious keyboard and is able to compromise the full patched Windows 10 x64 operating system since power-on. The USB-Bootkit will get disconnected automatically afterwards to avoid being discovered when the victim logs into the operating system.

    Haowen Bai
    Haowen Bai, a senior security research engineer at QiAnXin Threat Intelligence Center (@RedDrip7), has over 12 years’ work experience in network security with discovery of zero-day vulnerabilities in targeted attacks. Currently he is researching on innovative approaches to discover vulnerabilities and exploits on Windows platform, as well as to utilize big data analysis system to catch perilous threats in the wild.