Internet Proxy Servers, VPN and Ransomware: Beware!

[fa icon="long-arrow-left"] Back to all posts

[fa icon="pencil'] Posted by Jeff Wilkinson [fa icon="calendar"] December 14, 2016

Proxy servers and VPN services are an important feature for today’s mobile business to adapt. They allow users to remotely access the company network when working from a virtual office. They can also open the door to a malicious attack if not properly managed and allowed to users in limited form. Here’s a breakdown of what you need to know and how your company can protect itself from ransomware like CryptoLocker and the newest incarnation, Cerber.

CryptoLocker is a Trojan ransomware that allegedly encrypts files on an affected system and demands ransom for recovering the data back.

Techopedia

The Good:

A defined proxy for use by your company can provide added protection from blacklisted sites (AKA malicious sites), as well as enforcing company policy for appropriate sites that a user can visit if it is also filtering the traffic.

A proxy server, also known as a "proxy" or "application-level gateway", is a computer that acts as a gateway between a local network (e.g., all the computers at one company or in one building) and a larger-scale network such as the Internet. Proxy servers provide increased performance and security. In some cases, they monitor employees' use of outside resources.

Indiana University

The Bad:

The downside to allowing just any proxy or VPN to be used outside of your office is that many are malicious. This shouldn’t come as a surprise, but free services aren’t always run by upstanding citizens. Rather they are hoping unsuspecting users will funnel all of their traffic through the service so it can be monitored much like a Man in the Middle Attack.

The other issue in allowing all proxy services through your company’s firewall is that users can get around URL and DNS filtering that blocks malicious sites. A VPN service out of your environment works much the same, preventing the company policies and protections from being enforced. 

Proxies are used for a number of reasons such as to filter web content, to go around restrictions such as parental blocks, to screen downloads and uploads and to provide anonymity when surfing the internet.

WhatIsMyIP.com

The Ugly:

The newest variant of ransomware spam spreading via proxy/VPN services is Cerber. This ransomware is using TOR2Web (a proxy service that also provides anonymity for the users IP) and Google redirection services to retrieve the malicious code and install it on your systems, encrypt your files, then demand a Bitcoin ransom to unlock access to your files.

The Cerber ransomware is distributed via spam email containing infected attachments or links to malicious websites. Cyber-criminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email). And with that, your computer is infected with the Cerber ransomware.

 —Malware Tips

ransomeware-cerber.jpg

You can also read more about Cerber on Cisco’s Talos group blog, which investigates ongoing threats spreading on the internet.

Cerber is certainly a nasty twist to the ransomware and CryptoLocker mess we’ve been battling all year. Even if companies are diligently blacklisting new malicious sites that host CryptoLocker code and not allowing users to go there even if they click on spam link, with TOR2Web the malicious Cerber spam is anonymous—something that can’t be blacklisted because the IP always changes in the proxy.

The Solution:

Our recommendation to protect company devices on your network is to block all proxies but those the company approves for traffic out of your network and to allow only VPN connections initiated inside your network to go to approved VPN endpoints. This disables this latest twist in spreading malware, as well as ensures your company policies are being enforced. 

Is your business's data and sensitive information safe? Contact Us  for a consultation and learn more about how our security solutions can protect you and your end users from data, email, internet and mobile security threats.

Topics: Email Security, Data Security, Information Security

Jeff Wilkinson
Written by Jeff Wilkinson

Jeff is Lewan's Information Security Officer.

  • View & Submit Comments

[fa icon="envelope"] Subscribe to Email Updates



[fa icon="comments-o"] Follow us

Get even more great content, photos, event info and industry news.