Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security Audit Discovered Coder Who Outsourced His Job to China

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

In a blog post examining cases from 2012, Verizon Business’ Andrew Valentine presented a tale of a critical infrastructure firm in the U.S. who called them into investigate suspicious VPN connections to China. As it turns out, this was no complex hack, just a lazy developer – or a smart one depending on how you view things.

Last year, Verizon Business was called to offer assistance from a US-based company who discovered strange activity when examining their VPN logs. While scanning the daily VPN connections, they discovered an active link to their network from Shenyang, China.

VPN Connection“They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated; The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming; The developer whose credentials were being used was sitting at his desk in the office,” the blog explained.

Naturally, the security team at this firm was shaken, and assumed the worst – namely some type of “unknown malware that was able route traffic from a trusted internal connection to China, and then back.” After all, the employee was sitting at his desk, and while they had implemented a tele-work initiative, he wasn’t at home. When Verizon started looking deeper, they discovered the VPN access form China had been an ongoing thing, six months at least.

They took an image of the employee’s system and discovered invoices to a firm in Shenyang, and evidence that he had used FedEx to ship them his RSA token. According to the forensic work, the employee started his day by surfing Reddit, then after a few hours he would take lunch. In the afternoon, he shopped on eBay, updated Facebook and LinkedIn, before sending his bosses a daily status report before going home.

“All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building,” Valentine wrote.

“We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers’ systems to off-shore firms seems dangerous at best,” said Nick Cavalancia, VP, SpectorSoft.

“What many organizations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident,” Cavalancia said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.