Researchers found threat actors in China are using a VPN provider to obfuscate and anonymize attacks. How do these...
attacks work, and what can enterprises or security firms do, if anything, to mitigate them?
Attackers have been obfuscating their source IP address for as long as the Internet has been around. Some legitimate users even want to obfuscate their source IP address to protect their privacy or to access content limited to IP addresses from certain networks or regions. Attackers have typically used compromised devices on the Internet as a jumping off point to hide their source IP address and slow an investigation. Attackers might even use multiple compromised devices to prevent detection. They might even use a compromised device in a foreign country to make it more difficult to identify the source of an attack. Add these tactics to using Tor, and it becomes very difficult to identify a source IP address for an attacker.
In this specific attack, RSA Security reported attackers were using compromised Windows servers to setup a VPN service called Terracotta. A vulnerable Windows server is identified, then compromised and quickly turned into a VPN node.
Enterprises have a couple of options for protecting their network from attacks using the Terracotta VPN. They can use a firewall, intrusion prevention system, or some other security tool that incorporates threat intelligence into the network detection capabilities, and then blocking or carefully limiting the sources of suspicious traffic -- which in this case would be the Terracotta VPN. Blocking legitimate VPN services is probably going overboard, and there appears to be some legitimate usage of Terracotta VPN services for privacy protection within China, but the instances of legitimate use doesn't justify allowing Terracotta connections into an enterprise network.
The good news is, RSA researchers said the operators of the Terracotta VPN "are not using sophisticated methods" to harvest nodes for the service. Therefore, enterprises can also prevent their systems from being used as a node in Terracotta by using basic security hygiene practices like implementing firewalls, strong passwords and consistent patching policies. These steps will prevent systems from being compromised and added to the Terracotta VPN system.
Discover how to adapt your security program to address emerging threats
Find out about the risks and rewards of cybervigilantes and Wifatch
Read more for lessons learned from the Conficker botnet
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading