Researchers found threat actors in China are using a VPN provider to obfuscate and anonymize attacks. How do these...
attacks work, and what can enterprises or security firms do, if anything, to mitigate them?
Attackers have been obfuscating their source IP address for as long as the Internet has been around. Some legitimate users even want to obfuscate their source IP address to protect their privacy or to access content limited to IP addresses from certain networks or regions. Attackers have typically used compromised devices on the Internet as a jumping off point to hide their source IP address and slow an investigation. Attackers might even use multiple compromised devices to prevent detection. They might even use a compromised device in a foreign country to make it more difficult to identify the source of an attack. Add these tactics to using Tor, and it becomes very difficult to identify a source IP address for an attacker.
In this specific attack, RSA Security reported attackers were using compromised Windows servers to setup a VPN service called Terracotta. A vulnerable Windows server is identified, then compromised and quickly turned into a VPN node.
Enterprises have a couple of options for protecting their network from attacks using the Terracotta VPN. They can use a firewall, intrusion prevention system, or some other security tool that incorporates threat intelligence into the network detection capabilities, and then blocking or carefully limiting the sources of suspicious traffic -- which in this case would be the Terracotta VPN. Blocking legitimate VPN services is probably going overboard, and there appears to be some legitimate usage of Terracotta VPN services for privacy protection within China, but the instances of legitimate use doesn't justify allowing Terracotta connections into an enterprise network.
The good news is, RSA researchers said the operators of the Terracotta VPN "are not using sophisticated methods" to harvest nodes for the service. Therefore, enterprises can also prevent their systems from being used as a node in Terracotta by using basic security hygiene practices like implementing firewalls, strong passwords and consistent patching policies. These steps will prevent systems from being compromised and added to the Terracotta VPN system.
Discover how to adapt your security program to address emerging threats
Find out about the risks and rewards of cybervigilantes and Wifatch
Read more for lessons learned from the Conficker botnet
Dig Deeper on VPN security
Related Q&A from Nick Lewis
New variants of popular botnets were found targeting IoT devices by Palo Alto Networks' Unit 42. Discover how these variants differ from their ... Continue Reading
Detected malware can now efficiently be tracked due to VirusTotal's enterprise version of its software. Discover what N-gram is and how it can be ... Continue Reading
A new Kronos banking Trojan variant was found to use process impersonation to bypass defenses. Learn what this evasion technique is and the threat it... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.