Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chinese VPN Used by APT Actors Relies on Hacked Servers

Researchers at RSA have conducted an in-depth analysis of a Chinese virtual private network (VPN) service that has been used by advanced persistent threat (APT) groups to anonymize and obscure their activities.

Researchers at RSA have conducted an in-depth analysis of a Chinese virtual private network (VPN) service that has been used by advanced persistent threat (APT) groups to anonymize and obscure their activities.

Dubbed “Terracotta” by RSA, the commercial VPN service is marketed in China under various brands. The network is often used for anonymity, peer-to-peer (P2P) file sharing and gaming acceleration, and to bypass China’s Great Firewall’s censorship system.

One of the things that caught the attention of researchers is that Terracotta is a malware-supported VPN network. Many of the service’s more than 1,500 VPN nodes are on compromised servers belonging to various organizations from all over the world.

According to researchers, at least 31 of the host systems are hacked Windows servers belonging to a major hotel chain, U.S. government organizations, universities, tech services providers (including government contractors), and various private firms.

RSA believes the operators of Terracotta are targeting Windows servers because they include VPN services that can be easily configured. In all cases, the hijacked servers were Internet-exposed devices that were not protected by hardware firewalls.

The Terracotta node enlistment process starts with a brute-force attack on the administrator account via the DCOM Windows Management Interface (WMI) on TCP port 135. Then, the attackers disable the firewall and enable the Telnet service. Once this is done, they log in to the compromised system via the Remote Desktop Protocol (RDP), disable antiviruses, and install a custom variant of the Gh0st Remote Administration Tool (RAT). Finally, the VPN service operators create a new Windows account and they install Windows VPN services on the hijacked server.

In addition to Gh0st RAT, experts have spotted other pieces of malware on compromised servers, including the Mitozhan Trojan and the Liudoor Backdoor.

While Terracotta nodes have been identified all over the world, the majority are located in China (1,095), the United States (572), and South Korea (204).

Advertisement. Scroll to continue reading.

By hacking into legitimate servers and using them as nodes, the operators of the VPN service can save a lot of money that they might normally have to pay for bandwidth, experts noted.

Many Terracotta customers are likely regular users who are not aware that the service is partly powered by hacked servers. However, researchers determined that the VPN service has also been used by APT actors, including the Chinese group known as Shell Crew (Deep Panda).

In one of the attacks observed by the security firm, the attackers leveraged the VPN service in a phishing operation aimed at a defense contractor.

“RSA Research can confirm that suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes for exploitation of sensitive targets among Western government and commercial organizations. Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage- related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic,” RSA said in its report on Terracotta.

The company has pointed out that while it has been leveraged by APT actors, there is no evidence to suggest that Terracotta is actually tied to such groups.

RSA’s report, “Terracotta VPN: Enabler of Advanced Threat Anonymity,” contains recommendations and indicators of compromise (IoC) to help organizations detect the threat.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.