Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Terracotta VPN Piggybacks On Network Of Compromised Windows Servers

APT groups use this VPN service to launch attacks against organizations around the world.

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.

There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service.  The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.

The attack groups launch their operations through the VPN service, thus obscuring their origins. The traffic appears to be coming from legitimate IP addresses from organizations with good reputations, making it difficult for victim organizations to identify the attack.

No one would suspect traffic from a school district as being part of an advanced persistent attack activity, Beardmore says.

A charter school was one of the organizations whose servers inadvertently became part of Terracotta,  Beardmore says. The school IT staff had noticed server performance had slowed, but was unaware it had been compromised. The staff was about to increase its Internet bandwidth five-fold when RSA informed the school the Web server had 50,000 IP addresses connecting through it. Once the server was cleaned up, the performance went back to normal and the school did not have to invest in the extra bandwidth, Beardmore says.

One of the attack groups, known as Shell_Crew and Deep Panda, appear to use Terracotta regularly, RSA's report found. Deep Panda is believed to have been behind the attacks on the U.S. Department of Labor in 2013 and other high-profile targets. However, there is nothing to indicate the operators behind Terracotta are actually affiliated with Deep Panda or any of the other APT groups who utilize the services, Beardmore says. Terracotta appears to be a commercial service being marketed to criminal organizations.

Criminals renting servers and networks to launch their attacks is nothing new. What's new is the commercial nature of the Terracotta operation, Beardmore says. Previously, these services were marketed on underground forums and on criminal marketplaces. They weren't openly marketed, nor were the providers operating as a full-fledged enterprise. Terracotta is marketed under several different brands and websites but is run by a single entity.

Terracotta is a commercial enterprise, but not a legitimate one, Beardmore says. Terracotta's illicit method of harvesting servers belonging to other organizations to build up its infrastructure shows it is not some business which attack groups are co-opting for nefarious purposes.

Terracotta “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the researchers wrote in the report.

Attack groups would be attracted to Terracotta's model because the VPN service reduces the cost of launching their attacks. Renting out virtual private servers is not difficult, considering high-quality VPS with sufficient power for use as a VPN node can be leased for as little as $5 per month in the US, the report found. However, VPNs, which the attack groups need to mask their activities and origins, tend to be bandwidth-intensive, and most VPS providers charge for bandwidth use. With that in mind, signing up for a VPN service such as Terracotta “would significantly affect operating expenses,” the researchers wrote.

Terracotta uses a very simple, yet effective, method for harvesting servers. When it finds a target Windows server, it uses a brute-force attack to crack an administrator's password. Once in, it disables the Windows firewall and any other security software running, and then installs a remote access Trojan. Finally, it creates a new account on the server and installs Windows VPN services. The researchers currently have a working theory that Terracotta's team is finding target servers by just going sequentially down the IP address space, Beardmore says.

RSA has notified many of the U.S.-based victims whose servers were compromised by Terracotta, and most have been cleaned up. RSA is also publishing the malicious IP addresses and domain names it has identified as part of Terracotta's network to its threat intelligence service. One of the domains was identified in the report: 8800free[dot]info. Any Web servers connecting to this domain should be considered compromised, the report said.

The big lesson here for organizations is that even the unimportant servers need basic levels of protection, RSA said in its report. Even if the organization decides the server doesn't contain any valuable data or doesn't connect to sensitive systems, it should still protect the servers so that attackers don't commandeer it for illegal purposes. Machines can be used in botnets for spam and distributed denial of service attacks. Attackers can rent compromised servers to run their own software. Or in the case of Terracotta, servers can be used to steal bandwidth from organizations.

For more about Terracotta, click here

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/5/2015 | 2:57:14 PM
Re: Your link is invalid
Link has now been fixed. Thanks!
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/5/2015 | 12:22:21 PM
Your link is invalid
 

Your link for more information goes here:

https://mail.cmp.com/owa/redir.aspx?SURL=G85b9ymvBb4nqK1WyWguVxMc4roqPIj7lFgrb0_HBUxQxRtvp53SCGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAHMALgByAHMAYQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwAyADAAMQA1AC8AMAA4AC8AVABlAHIAcgBhAGMAbwB0AHQAYQAtAFYAUABOAC0AUgBlAHAAbwByAHQALQBGAGkAbgBhAGwALQA4AC0AMwAuAHAAZABmAA..&URL=https%3a%2f%2fblogs.rsa.com%2fwp-content%2fuploads%2f2015%2f08%2fTerracotta-VPN-Report-Final-8-3.pdf

 

Which appears to be an exchange web access login page.

 

For deeper dive into this topic, see what Krebs wrote.
bricksteen
50%
50%
bricksteen,
User Rank: Apprentice
8/4/2015 | 11:33:58 PM
no doubt
It's one of which most different levels of consumers use for different reasons but I wonder if a lot of people use<a href="https://ironsocket.com">ironsocket</a>.  I've been using this since last year and no doubt!. It gives 100% security from any other.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes &amp; &lt;jira-installation&gt;/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...