Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Terracotta VPN Piggybacks On Network Of Compromised Windows Servers

APT groups use this VPN service to launch attacks against organizations around the world.

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.

There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service.  The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.

The attack groups launch their operations through the VPN service, thus obscuring their origins. The traffic appears to be coming from legitimate IP addresses from organizations with good reputations, making it difficult for victim organizations to identify the attack.

No one would suspect traffic from a school district as being part of an advanced persistent attack activity, Beardmore says.

A charter school was one of the organizations whose servers inadvertently became part of Terracotta,  Beardmore says. The school IT staff had noticed server performance had slowed, but was unaware it had been compromised. The staff was about to increase its Internet bandwidth five-fold when RSA informed the school the Web server had 50,000 IP addresses connecting through it. Once the server was cleaned up, the performance went back to normal and the school did not have to invest in the extra bandwidth, Beardmore says.

One of the attack groups, known as Shell_Crew and Deep Panda, appear to use Terracotta regularly, RSA's report found. Deep Panda is believed to have been behind the attacks on the U.S. Department of Labor in 2013 and other high-profile targets. However, there is nothing to indicate the operators behind Terracotta are actually affiliated with Deep Panda or any of the other APT groups who utilize the services, Beardmore says. Terracotta appears to be a commercial service being marketed to criminal organizations.

Criminals renting servers and networks to launch their attacks is nothing new. What's new is the commercial nature of the Terracotta operation, Beardmore says. Previously, these services were marketed on underground forums and on criminal marketplaces. They weren't openly marketed, nor were the providers operating as a full-fledged enterprise. Terracotta is marketed under several different brands and websites but is run by a single entity.

Terracotta is a commercial enterprise, but not a legitimate one, Beardmore says. Terracotta's illicit method of harvesting servers belonging to other organizations to build up its infrastructure shows it is not some business which attack groups are co-opting for nefarious purposes.

Terracotta “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the researchers wrote in the report.

Attack groups would be attracted to Terracotta's model because the VPN service reduces the cost of launching their attacks. Renting out virtual private servers is not difficult, considering high-quality VPS with sufficient power for use as a VPN node can be leased for as little as $5 per month in the US, the report found. However, VPNs, which the attack groups need to mask their activities and origins, tend to be bandwidth-intensive, and most VPS providers charge for bandwidth use. With that in mind, signing up for a VPN service such as Terracotta “would significantly affect operating expenses,” the researchers wrote.

Terracotta uses a very simple, yet effective, method for harvesting servers. When it finds a target Windows server, it uses a brute-force attack to crack an administrator's password. Once in, it disables the Windows firewall and any other security software running, and then installs a remote access Trojan. Finally, it creates a new account on the server and installs Windows VPN services. The researchers currently have a working theory that Terracotta's team is finding target servers by just going sequentially down the IP address space, Beardmore says.

RSA has notified many of the U.S.-based victims whose servers were compromised by Terracotta, and most have been cleaned up. RSA is also publishing the malicious IP addresses and domain names it has identified as part of Terracotta's network to its threat intelligence service. One of the domains was identified in the report: 8800free[dot]info. Any Web servers connecting to this domain should be considered compromised, the report said.

The big lesson here for organizations is that even the unimportant servers need basic levels of protection, RSA said in its report. Even if the organization decides the server doesn't contain any valuable data or doesn't connect to sensitive systems, it should still protect the servers so that attackers don't commandeer it for illegal purposes. Machines can be used in botnets for spam and distributed denial of service attacks. Attackers can rent compromised servers to run their own software. Or in the case of Terracotta, servers can be used to steal bandwidth from organizations.

For more about Terracotta, click here

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/5/2015 | 2:57:14 PM
Re: Your link is invalid
Link has now been fixed. Thanks!
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/5/2015 | 12:22:21 PM
Your link is invalid
 

Your link for more information goes here:

https://mail.cmp.com/owa/redir.aspx?SURL=G85b9ymvBb4nqK1WyWguVxMc4roqPIj7lFgrb0_HBUxQxRtvp53SCGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAHMALgByAHMAYQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwAyADAAMQA1AC8AMAA4AC8AVABlAHIAcgBhAGMAbwB0AHQAYQAtAFYAUABOAC0AUgBlAHAAbwByAHQALQBGAGkAbgBhAGwALQA4AC0AMwAuAHAAZABmAA..&URL=https%3a%2f%2fblogs.rsa.com%2fwp-content%2fuploads%2f2015%2f08%2fTerracotta-VPN-Report-Final-8-3.pdf

 

Which appears to be an exchange web access login page.

 

For deeper dive into this topic, see what Krebs wrote.
bricksteen
50%
50%
bricksteen,
User Rank: Apprentice
8/4/2015 | 11:33:58 PM
no doubt
It's one of which most different levels of consumers use for different reasons but I wonder if a lot of people use<a href="https://ironsocket.com">ironsocket</a>.  I've been using this since last year and no doubt!. It gives 100% security from any other.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp;amp; Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.