Terracotta VPN Piggybacks On Network Of Compromised Windows Servers

APT groups use this VPN service to launch attacks against organizations around the world.

Fahmida Y. Rashid, Managing Editor, Features

August 4, 2015

5 Min Read
Dark Reading logo in a gray background | Dark Reading

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.

There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service.  The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.

The attack groups launch their operations through the VPN service, thus obscuring their origins. The traffic appears to be coming from legitimate IP addresses from organizations with good reputations, making it difficult for victim organizations to identify the attack.

No one would suspect traffic from a school district as being part of an advanced persistent attack activity, Beardmore says.

A charter school was one of the organizations whose servers inadvertently became part of Terracotta,  Beardmore says. The school IT staff had noticed server performance had slowed, but was unaware it had been compromised. The staff was about to increase its Internet bandwidth five-fold when RSA informed the school the Web server had 50,000 IP addresses connecting through it. Once the server was cleaned up, the performance went back to normal and the school did not have to invest in the extra bandwidth, Beardmore says.

One of the attack groups, known as Shell_Crew and Deep Panda, appear to use Terracotta regularly, RSA's report found. Deep Panda is believed to have been behind the attacks on the U.S. Department of Labor in 2013 and other high-profile targets. However, there is nothing to indicate the operators behind Terracotta are actually affiliated with Deep Panda or any of the other APT groups who utilize the services, Beardmore says. Terracotta appears to be a commercial service being marketed to criminal organizations.

Criminals renting servers and networks to launch their attacks is nothing new. What's new is the commercial nature of the Terracotta operation, Beardmore says. Previously, these services were marketed on underground forums and on criminal marketplaces. They weren't openly marketed, nor were the providers operating as a full-fledged enterprise. Terracotta is marketed under several different brands and websites but is run by a single entity.

Terracotta is a commercial enterprise, but not a legitimate one, Beardmore says. Terracotta's illicit method of harvesting servers belonging to other organizations to build up its infrastructure shows it is not some business which attack groups are co-opting for nefarious purposes.

Terracotta “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the researchers wrote in the report.

Attack groups would be attracted to Terracotta's model because the VPN service reduces the cost of launching their attacks. Renting out virtual private servers is not difficult, considering high-quality VPS with sufficient power for use as a VPN node can be leased for as little as $5 per month in the US, the report found. However, VPNs, which the attack groups need to mask their activities and origins, tend to be bandwidth-intensive, and most VPS providers charge for bandwidth use. With that in mind, signing up for a VPN service such as Terracotta “would significantly affect operating expenses,” the researchers wrote.

Terracotta uses a very simple, yet effective, method for harvesting servers. When it finds a target Windows server, it uses a brute-force attack to crack an administrator's password. Once in, it disables the Windows firewall and any other security software running, and then installs a remote access Trojan. Finally, it creates a new account on the server and installs Windows VPN services. The researchers currently have a working theory that Terracotta's team is finding target servers by just going sequentially down the IP address space, Beardmore says.

RSA has notified many of the U.S.-based victims whose servers were compromised by Terracotta, and most have been cleaned up. RSA is also publishing the malicious IP addresses and domain names it has identified as part of Terracotta's network to its threat intelligence service. One of the domains was identified in the report: 8800free[dot]info. Any Web servers connecting to this domain should be considered compromised, the report said.

The big lesson here for organizations is that even the unimportant servers need basic levels of protection, RSA said in its report. Even if the organization decides the server doesn't contain any valuable data or doesn't connect to sensitive systems, it should still protect the servers so that attackers don't commandeer it for illegal purposes. Machines can be used in botnets for spam and distributed denial of service attacks. Attackers can rent compromised servers to run their own software. Or in the case of Terracotta, servers can be used to steal bandwidth from organizations.

For more about Terracotta, click here

Black Hat USA is happening! Check it out here.

Read more about:

Black Hat News

About the Author

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights