Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Terracotta VPN Piggybacks On Network Of Compromised Windows Servers

APT groups use this VPN service to launch attacks against organizations around the world.

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.

There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service.  The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.

The attack groups launch their operations through the VPN service, thus obscuring their origins. The traffic appears to be coming from legitimate IP addresses from organizations with good reputations, making it difficult for victim organizations to identify the attack.

No one would suspect traffic from a school district as being part of an advanced persistent attack activity, Beardmore says.

A charter school was one of the organizations whose servers inadvertently became part of Terracotta,  Beardmore says. The school IT staff had noticed server performance had slowed, but was unaware it had been compromised. The staff was about to increase its Internet bandwidth five-fold when RSA informed the school the Web server had 50,000 IP addresses connecting through it. Once the server was cleaned up, the performance went back to normal and the school did not have to invest in the extra bandwidth, Beardmore says.

One of the attack groups, known as Shell_Crew and Deep Panda, appear to use Terracotta regularly, RSA's report found. Deep Panda is believed to have been behind the attacks on the U.S. Department of Labor in 2013 and other high-profile targets. However, there is nothing to indicate the operators behind Terracotta are actually affiliated with Deep Panda or any of the other APT groups who utilize the services, Beardmore says. Terracotta appears to be a commercial service being marketed to criminal organizations.

Criminals renting servers and networks to launch their attacks is nothing new. What's new is the commercial nature of the Terracotta operation, Beardmore says. Previously, these services were marketed on underground forums and on criminal marketplaces. They weren't openly marketed, nor were the providers operating as a full-fledged enterprise. Terracotta is marketed under several different brands and websites but is run by a single entity.

Terracotta is a commercial enterprise, but not a legitimate one, Beardmore says. Terracotta's illicit method of harvesting servers belonging to other organizations to build up its infrastructure shows it is not some business which attack groups are co-opting for nefarious purposes.

Terracotta “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the researchers wrote in the report.

Attack groups would be attracted to Terracotta's model because the VPN service reduces the cost of launching their attacks. Renting out virtual private servers is not difficult, considering high-quality VPS with sufficient power for use as a VPN node can be leased for as little as $5 per month in the US, the report found. However, VPNs, which the attack groups need to mask their activities and origins, tend to be bandwidth-intensive, and most VPS providers charge for bandwidth use. With that in mind, signing up for a VPN service such as Terracotta “would significantly affect operating expenses,” the researchers wrote.

Terracotta uses a very simple, yet effective, method for harvesting servers. When it finds a target Windows server, it uses a brute-force attack to crack an administrator's password. Once in, it disables the Windows firewall and any other security software running, and then installs a remote access Trojan. Finally, it creates a new account on the server and installs Windows VPN services. The researchers currently have a working theory that Terracotta's team is finding target servers by just going sequentially down the IP address space, Beardmore says.

RSA has notified many of the U.S.-based victims whose servers were compromised by Terracotta, and most have been cleaned up. RSA is also publishing the malicious IP addresses and domain names it has identified as part of Terracotta's network to its threat intelligence service. One of the domains was identified in the report: 8800free[dot]info. Any Web servers connecting to this domain should be considered compromised, the report said.

The big lesson here for organizations is that even the unimportant servers need basic levels of protection, RSA said in its report. Even if the organization decides the server doesn't contain any valuable data or doesn't connect to sensitive systems, it should still protect the servers so that attackers don't commandeer it for illegal purposes. Machines can be used in botnets for spam and distributed denial of service attacks. Attackers can rent compromised servers to run their own software. Or in the case of Terracotta, servers can be used to steal bandwidth from organizations.

For more about Terracotta, click here

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/5/2015 | 2:57:14 PM
Re: Your link is invalid
Link has now been fixed. Thanks!
SgS125
50%
50%
SgS125,
User Rank: Ninja
8/5/2015 | 12:22:21 PM
Your link is invalid
 

Your link for more information goes here:

https://mail.cmp.com/owa/redir.aspx?SURL=G85b9ymvBb4nqK1WyWguVxMc4roqPIj7lFgrb0_HBUxQxRtvp53SCGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAHMALgByAHMAYQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwAyADAAMQA1AC8AMAA4AC8AVABlAHIAcgBhAGMAbwB0AHQAYQAtAFYAUABOAC0AUgBlAHAAbwByAHQALQBGAGkAbgBhAGwALQA4AC0AMwAuAHAAZABmAA..&URL=https%3a%2f%2fblogs.rsa.com%2fwp-content%2fuploads%2f2015%2f08%2fTerracotta-VPN-Report-Final-8-3.pdf

 

Which appears to be an exchange web access login page.

 

For deeper dive into this topic, see what Krebs wrote.
bricksteen
50%
50%
bricksteen,
User Rank: Apprentice
8/4/2015 | 11:33:58 PM
no doubt
It's one of which most different levels of consumers use for different reasons but I wonder if a lot of people use<a href="https://ironsocket.com">ironsocket</a>.  I've been using this since last year and no doubt!. It gives 100% security from any other.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.