alphaspirit - Fotolia
Researchers found threat actors in China are using a VPN provider to obfuscate and anonymize attacks. How do these attacks work, and what can enterprises or security firms do, if anything, to mitigate them?
Attackers have been obfuscating their source IP address for as long as the Internet has been around. Some legitimate users even want to obfuscate their source IP address to protect their privacy or to access content limited to IP addresses from certain networks or regions. Attackers have typically used compromised devices on the Internet as a jumping off point to hide their source IP address and slow an investigation. Attackers might even use multiple compromised devices to prevent detection. They might even use a compromised device in a foreign country to make it more difficult to identify the source of an attack. Add these tactics to using Tor, and it becomes very difficult to identify a source IP address for an attacker.
In this specific attack, RSA Security reported attackers were using compromised Windows servers to setup a VPN service called Terracotta. A vulnerable Windows server is identified, then compromised and quickly turned into a VPN node.
Enterprises have a couple of options for protecting their network from attacks using the Terracotta VPN. They can use a firewall, intrusion prevention system, or some other security tool that incorporates threat intelligence into the network detection capabilities, and then blocking or carefully limiting the sources of suspicious traffic -- which in this case would be the Terracotta VPN. Blocking legitimate VPN services is probably going overboard, and there appears to be some legitimate usage of Terracotta VPN services for privacy protection within China, but the instances of legitimate use doesn't justify allowing Terracotta connections into an enterprise network.
The good news is, RSA researchers said the operators of the Terracotta VPN "are not using sophisticated methods" to harvest nodes for the service. Therefore, enterprises can also prevent their systems from being used as a node in Terracotta by using basic security hygiene practices like implementing firewalls, strong passwords and consistent patching policies. These steps will prevent systems from being compromised and added to the Terracotta VPN system.
Discover how to adapt your security program to address emerging threats
Find out about the risks and rewards of cybervigilantes and Wifatch
Read more for lessons learned from the Conficker botnet
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.