Incident Response Case Study – Backdoor VPN Subversion
Special guest: Tyler Hudak, Practice Lead, Incident Response.
Tyler Hudak has 20 years of experience in incident handling, malware analysis, computer forensics, and information security for multiple Fortune 500 firms. He is also the IR Practice Lead at TrustedSec. Tyler has authored five courses on PluralSight.
In this episode, Tyler shares a case study where he was tasked with going up against multiple Advanced Persistent Threat (APT) groups. In his IR team, Tyler performed reverse-engineering, forensics, IR, and interfaced with C-level professionals to manage the situation.
It was determined that one of the APT groups were heavily using a custom “back door” technique. After compromising a system, the back door was loaded to subvert the VPN so that if any network traffic going back to their command-and-control servers was seen by the rootkit it would actually bypass the VPN. This basically made any network traffic invisible to the IR team if a client was offsite, which was an effective hacking strategy.
It was discovered that multiple back doors had been loaded within the customer’s systems so that “internal versioning in the executable” was possible. Because they had been using the C++ programming language, they were able to create “plug-ins” to change the existing command-and-control protocols. Using HTTP, FTP, SSL, and a number of other protocols, they were able to switch them out and bring each one back on demand to confuse detection.
Listen to the podcast to find out how the APT group used “custom encryption” over the protocols to hide their activities.