Researchers found threat actors in China are using a VPN provider to obfuscate and anonymize attacks. How do these...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
attacks work, and what can enterprises or security firms do, if anything, to mitigate them?
Attackers have been obfuscating their source IP address for as long as the Internet has been around. Some legitimate users even want to obfuscate their source IP address to protect their privacy or to access content limited to IP addresses from certain networks or regions. Attackers have typically used compromised devices on the Internet as a jumping off point to hide their source IP address and slow an investigation. Attackers might even use multiple compromised devices to prevent detection. They might even use a compromised device in a foreign country to make it more difficult to identify the source of an attack. Add these tactics to using Tor, and it becomes very difficult to identify a source IP address for an attacker.
In this specific attack, RSA Security reported attackers were using compromised Windows servers to setup a VPN service called Terracotta. A vulnerable Windows server is identified, then compromised and quickly turned into a VPN node.
Enterprises have a couple of options for protecting their network from attacks using the Terracotta VPN. They can use a firewall, intrusion prevention system, or some other security tool that incorporates threat intelligence into the network detection capabilities, and then blocking or carefully limiting the sources of suspicious traffic -- which in this case would be the Terracotta VPN. Blocking legitimate VPN services is probably going overboard, and there appears to be some legitimate usage of Terracotta VPN services for privacy protection within China, but the instances of legitimate use doesn't justify allowing Terracotta connections into an enterprise network.
The good news is, RSA researchers said the operators of the Terracotta VPN "are not using sophisticated methods" to harvest nodes for the service. Therefore, enterprises can also prevent their systems from being used as a node in Terracotta by using basic security hygiene practices like implementing firewalls, strong passwords and consistent patching policies. These steps will prevent systems from being compromised and added to the Terracotta VPN system.
Discover how to adapt your security program to address emerging threats
Find out about the risks and rewards of cybervigilantes and Wifatch
Read more for lessons learned from the Conficker botnet
Dig Deeper on VPN security
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.