Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Terracotta VPN Piggybacks On Network Of Compromised Windows Servers

APT groups use this VPN service to launch attacks against organizations around the world.

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.

There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service.  The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.

The attack groups launch their operations through the VPN service, thus obscuring their origins. The traffic appears to be coming from legitimate IP addresses from organizations with good reputations, making it difficult for victim organizations to identify the attack.

No one would suspect traffic from a school district as being part of an advanced persistent attack activity, Beardmore says.

A charter school was one of the organizations whose servers inadvertently became part of Terracotta,  Beardmore says. The school IT staff had noticed server performance had slowed, but was unaware it had been compromised. The staff was about to increase its Internet bandwidth five-fold when RSA informed the school the Web server had 50,000 IP addresses connecting through it. Once the server was cleaned up, the performance went back to normal and the school did not have to invest in the extra bandwidth, Beardmore says.

One of the attack groups, known as Shell_Crew and Deep Panda, appear to use Terracotta regularly, RSA's report found. Deep Panda is believed to have been behind the attacks on the U.S. Department of Labor in 2013 and other high-profile targets. However, there is nothing to indicate the operators behind Terracotta are actually affiliated with Deep Panda or any of the other APT groups who utilize the services, Beardmore says. Terracotta appears to be a commercial service being marketed to criminal organizations.

Criminals renting servers and networks to launch their attacks is nothing new. What's new is the commercial nature of the Terracotta operation, Beardmore says. Previously, these services were marketed on underground forums and on criminal marketplaces. They weren't openly marketed, nor were the providers operating as a full-fledged enterprise. Terracotta is marketed under several different brands and websites but is run by a single entity.

Terracotta is a commercial enterprise, but not a legitimate one, Beardmore says. Terracotta's illicit method of harvesting servers belonging to other organizations to build up its infrastructure shows it is not some business which attack groups are co-opting for nefarious purposes.

Terracotta “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the researchers wrote in the report.

Attack groups would be attracted to Terracotta's model because the VPN service reduces the cost of launching their attacks. Renting out virtual private servers is not difficult, considering high-quality VPS with sufficient power for use as a VPN node can be leased for as little as $5 per month in the US, the report found. However, VPNs, which the attack groups need to mask their activities and origins, tend to be bandwidth-intensive, and most VPS providers charge for bandwidth use. With that in mind, signing up for a VPN service such as Terracotta “would significantly affect operating expenses,” the researchers wrote.

Terracotta uses a very simple, yet effective, method for harvesting servers. When it finds a target Windows server, it uses a brute-force attack to crack an administrator's password. Once in, it disables the Windows firewall and any other security software running, and then installs a remote access Trojan. Finally, it creates a new account on the server and installs Windows VPN services. The researchers currently have a working theory that Terracotta's team is finding target servers by just going sequentially down the IP address space, Beardmore says.

RSA has notified many of the U.S.-based victims whose servers were compromised by Terracotta, and most have been cleaned up. RSA is also publishing the malicious IP addresses and domain names it has identified as part of Terracotta's network to its threat intelligence service. One of the domains was identified in the report: 8800free[dot]info. Any Web servers connecting to this domain should be considered compromised, the report said.

The big lesson here for organizations is that even the unimportant servers need basic levels of protection, RSA said in its report. Even if the organization decides the server doesn't contain any valuable data or doesn't connect to sensitive systems, it should still protect the servers so that attackers don't commandeer it for illegal purposes. Machines can be used in botnets for spam and distributed denial of service attacks. Attackers can rent compromised servers to run their own software. Or in the case of Terracotta, servers can be used to steal bandwidth from organizations.

For more about Terracotta, click here

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/5/2015 | 2:57:14 PM
Re: Your link is invalid
Link has now been fixed. Thanks!
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/5/2015 | 12:22:21 PM
Your link is invalid
 

Your link for more information goes here:

https://mail.cmp.com/owa/redir.aspx?SURL=G85b9ymvBb4nqK1WyWguVxMc4roqPIj7lFgrb0_HBUxQxRtvp53SCGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAHMALgByAHMAYQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwAyADAAMQA1AC8AMAA4AC8AVABlAHIAcgBhAGMAbwB0AHQAYQAtAFYAUABOAC0AUgBlAHAAbwByAHQALQBGAGkAbgBhAGwALQA4AC0AMwAuAHAAZABmAA..&URL=https%3a%2f%2fblogs.rsa.com%2fwp-content%2fuploads%2f2015%2f08%2fTerracotta-VPN-Report-Final-8-3.pdf

 

Which appears to be an exchange web access login page.

 

For deeper dive into this topic, see what Krebs wrote.
bricksteen
50%
50%
bricksteen,
User Rank: Apprentice
8/4/2015 | 11:33:58 PM
no doubt
It's one of which most different levels of consumers use for different reasons but I wonder if a lot of people use<a href="https://ironsocket.com">ironsocket</a>.  I've been using this since last year and no doubt!. It gives 100% security from any other.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
CVE-2015-7892
PUBLISHED: 2019-12-09
Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.
CVE-2015-0841
PUBLISHED: 2019-12-09
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.