Terracotta VPN, the Chinese VPN Service as Hacking Platform

A Chinese-language Virtual Private Network service provider dubbed Terracotta VPN offers a network of compromised servers as a stealth hacking platform.

According RSA Security, a China-based virtual private network (VPN) service provider offers hacking crews a network of compromised servers which can be used to carry out stealth cyber attacks.

The attacks appear to be coming from legitimate IP addresses from organizations having a good reputation, making it difficult for the victim to identify the real source of the offensive.

The VPN service identified by RSA and dubbed by the company Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world.” Terracotta VPN is a commercial VPN service provider with over 1,500 nodes around the world, the majority of its servers are actually composed of compromised Windows systems belonging to SMBs.

“Terracotta’s network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim’s knowledge or permission.  New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.” RSA wrote in a report. ” “RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).””

Operators behind Terracotta VPN target Windows server running brute-force attack to crack an administrator’s password. Once discovered the admin credentials they disable the Windows firewall and any other security software, and then installs a remote access Trojan. The last step consists in the creation of a new administrative account on the server and the installation of a Windows VPN service.

RSA experts discovered that the majority of the servers owned by Terracotta consists of compromised machines located in China, Japan, South Korea, the United States, and some countries in Eastern Europe.

The list of victims is long, it also includes a Fortune 500 hotel chain, a hi-tech manufacturer, a doctor’s office, school and university systems, a law firm, and a county government for an unidentified U.S. state.

Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor’s office, school and university systems, and a county government for an unidentified U.S. state, the report found.

“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA states in the report.

The name Terracotta VPN assigned to the malicious infrastructure is a clear reference to the Chinese Terracotta Army, hacker crews thought to be using Terracotta to run attacks remaining anonymous. The experts speculate that popular APT groups used it, including the “Shell_Crew” and “Deep Panda.”

RSA suspects state-sponsored hackers have leveraged at least 52 Terracotta VPN nodes to hit targets among private firms and government organizations. A report provided by a large defense contractor to RSA confirms that 27 different Terracotta VPN node Internet addresses were used in phishing campaigns targeting users in their organization.

“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%) were associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated. “Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”

RSA grouped victims in “three classes”,  the first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service, the second class includes more than 300 companies whose servers have been compromised, and the third group is composed of the organizations victims of the attacks through the Terracotta VPN.

Criminal organizations offering for rent network of compromised servers is not a novelty, what’s new is the commercial offer the Terracotta VPN, which is marketed under several different brands and websites but is run by a single commercial enterprise.

Terracotta VPN “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” states the report.

RSA reported its findings to the U.S.-based victims whose servers were part of the Terracotta VPN and it is also publishing the list of the malicious IP addresses and domain it has identified as part of Terracotta VPN infrastructure.

As explained by the popular security investigator Brian Krebs, RSA included a single screen shot of software used by one of the commercial VPN services carefully omitting any information that would allow to find the websites offering the Terracotta VPN.

One of the domains was identified in the report is 8800free[dot]info, good starting point for Krebs’investigation. Krebs is a master and I decided to propose an excerpt from the analysis to show you how to proceed in cases like this.

“A lookup at Domaintools.com for the historic registration records on 8800free[dot]info show it was originally registered in 2010 to someone using the email address “xnt50@163.com.” Among the nine other domains registered to xnt50@163.com is517jiasu[dot]cn, an archived version of which is available here.

Domaintools shows that in 2013 the registration record for 8800free[dot]info was changed to include the email address “jzbb@foxmail.com.” Helpfully, that email was used to register at least 39 other sites, including quite a few that are or were at one time advertising similar-looking VPN services.

Pivoting off the historic registration records for many of those sites turns up a long list of VPN sites registered to other interesting email addresses, including “adsyb@163.com,” “asdfyb@hotmail.com” and “itjsq@qq.com” (click the email addresses for a list of domains registered to each). Armed with lists of dozens of VPN sites, it wasn’t hard to find several sites offering different VPN clients for download. I installed each on a carefully isolated virtual machine (don’t try this at home, kids!).

None of the VPN clients I tried would list the Internet addresses of the individual nodes. However, each node in the network can be discovered simply by running some type of network traffic monitoring tool in the background (I used Wireshark), and logging the address that is pinged when one clicks on a new connection.” explained Krebs.

Pierluigi Paganini

(Security Affairs – Hacking, Terracotta VPN)