Researchers at RSA have conducted an in-depth analysis of a Chinese virtual private network (VPN) service that has been used by advanced persistent threat (APT) groups to anonymize and obscure their activities.
Dubbed “Terracotta” by RSA, the commercial VPN service is marketed in China under various brands. The network is often used for anonymity, peer-to-peer (P2P) file sharing and gaming acceleration, and to bypass China’s Great Firewall’s censorship system.
One of the things that caught the attention of researchers is that Terracotta is a malware-supported VPN network. Many of the service’s more than 1,500 VPN nodes are on compromised servers belonging to various organizations from all over the world.
According to researchers, at least 31 of the host systems are hacked Windows servers belonging to a major hotel chain, U.S. government organizations, universities, tech services providers (including government contractors), and various private firms.
RSA believes the operators of Terracotta are targeting Windows servers because they include VPN services that can be easily configured. In all cases, the hijacked servers were Internet-exposed devices that were not protected by hardware firewalls.
The Terracotta node enlistment process starts with a brute-force attack on the administrator account via the DCOM Windows Management Interface (WMI) on TCP port 135. Then, the attackers disable the firewall and enable the Telnet service. Once this is done, they log in to the compromised system via the Remote Desktop Protocol (RDP), disable antiviruses, and install a custom variant of the Gh0st Remote Administration Tool (RAT). Finally, the VPN service operators create a new Windows account and they install Windows VPN services on the hijacked server.
In addition to Gh0st RAT, experts have spotted other pieces of malware on compromised servers, including the Mitozhan Trojan and the Liudoor Backdoor.
While Terracotta nodes have been identified all over the world, the majority are located in China (1,095), the United States (572), and South Korea (204).
By hacking into legitimate servers and using them as nodes, the operators of the VPN service can save a lot of money that they might normally have to pay for bandwidth, experts noted.
Many Terracotta customers are likely regular users who are not aware that the service is partly powered by hacked servers. However, researchers determined that the VPN service has also been used by APT actors, including the Chinese group known as Shell Crew (Deep Panda).
In one of the attacks observed by the security firm, the attackers leveraged the VPN service in a phishing operation aimed at a defense contractor.
“RSA Research can confirm that suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes for exploitation of sensitive targets among Western government and commercial organizations. Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage- related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic,” RSA said in its report on Terracotta.
The company has pointed out that while it has been leveraged by APT actors, there is no evidence to suggest that Terracotta is actually tied to such groups.
RSA’s report, “Terracotta VPN: Enabler of Advanced Threat Anonymity,” contains recommendations and indicators of compromise (IoC) to help organizations detect the threat.