alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can the Terracotta VPN attacks be detected?

Threat actors in China are using VPN services to hide and anonymize their attacks. Expert Nick Lewis explains how to get a handle on these VPN-enabled threats.

Researchers found threat actors in China are using a VPN provider to obfuscate and anonymize attacks. How do these...

attacks work, and what can enterprises or security firms do, if anything, to mitigate them?

Attackers have been obfuscating their source IP address for as long as the Internet has been around. Some legitimate users even want to obfuscate their source IP address to protect their privacy or to access content limited to IP addresses from certain networks or regions. Attackers have typically used compromised devices on the Internet as a jumping off point to hide their source IP address and slow an investigation. Attackers might even use multiple compromised devices to prevent detection. They might even use a compromised device in a foreign country to make it more difficult to identify the source of an attack. Add these tactics to using Tor, and it becomes very difficult to identify a source IP address for an attacker.

In this specific attack, RSA Security reported attackers were using compromised Windows servers to setup a VPN service called Terracotta. A vulnerable Windows server is identified, then compromised and quickly turned into a VPN node.

Enterprises have a couple of options for protecting their network from attacks using the Terracotta VPN. They can use a firewall, intrusion prevention system, or some other security tool that incorporates threat intelligence into the network detection capabilities, and then blocking or carefully limiting the sources of suspicious traffic -- which in this case would be the Terracotta VPN. Blocking legitimate VPN services is probably going overboard, and there appears to be some legitimate usage of Terracotta VPN services for privacy protection within China, but the instances of legitimate use doesn't justify allowing Terracotta connections into an enterprise network.

The good news is, RSA researchers said the operators of the Terracotta VPN "are not using sophisticated methods" to harvest nodes for the service. Therefore, enterprises can also prevent their systems from being used as a node in Terracotta by using basic security hygiene practices like implementing firewalls, strong passwords and consistent patching policies. These steps will prevent systems from being compromised and added to the Terracotta VPN system.

Next Steps

Discover how to adapt your security program to address emerging threats

Find out about the risks and rewards of cybervigilantes and Wifatch

Read more for lessons learned from the Conficker botnet

This was last published in February 2016

Dig Deeper on VPN security