All of the servers that were taken over sat outside hardware firewalls and none of them had Windows firewall running on them. The attackers also found machines that were peripheral to companies' main lines of business and weren't as well protected as other resources. For example, a large hotel chain had servers in its development system compromised because they weren't part of the chain's regular monitoring program and IT wasn't paying a lot of attention to them, he says.
RSA attributes much of the malicious activity running over Terracotta to groups in China that can be identified by the common tactics they use to plant advanced persistent threats. He says it's the first time he's seen these particular groups, including the one known as Shell Crew/Deep Panda, paying to use a commercially available VPN as a delivery mechanism for their malware.
Sign up for Computerworld eNewsletters.