MJ Emanuel

Cataloging Security Appliance Passive Backdoors

Can you trust your security appliances? Despite increased attention to edge device exploitation in nation-state campaigns, the specifics of the malware used to compromise these systems are often overlooked. This talk will provide a foundational overview of how passive backdoors function and more importantly, a comparative analysis of already disclosed passive backdoors against security appliances used in campaigns from the last five years in order to identify shared attributes that may inform detection, hunting, and product hardening strategies.

The focus of the talk will be on variants that target popular network device vendors, but will also show how other types of devices like hypervisors and network management devices need to be scrutinized as well. It will also explore whether recurring techniques and artifacts can indicate common developers or toolchains behind ostensibly unrelated families. Includes discussion on concrete detection opportunities for defenders and threat hunters to better secure from these types of threats.

MJ Emanuel is a threat intelligence analyst for the US government. Previously, she was an incident response analyst at the Cybersecurity and Infrastructure Security Agency (CISA) for five years focusing on industrial controls systems, threat intelligence, and forensics. She also teaches at the Alperovitch Institute at Johns Hopkins’ SAIS about critical infrastructure cybersecurity.