Terracotta VPN Helps APT Groups Launch Attacks Around the World
Terracotta is a VPN network of over 1500 VPN nodes around the world. The Chinese based VPN service provider has obtained their VPN nodes illegally. The company has hacked into unsuspecting companies that have inadequately protected their Windows servers. Each day new VPN nodes are added to the Terracotta network as the Chinese company enlists new victims. Furthermore, the VPN nodes aren’t made public. Therefore, only people who subscribe to Terracotta have access to these nodes.
Just recently RSA, The Security Division of EMC, discovered the Chinese-language Virtual Private Network (VPN) was publicly offering APT groups a large network of compromised servers. The hacking groups have access to legitimate IP addresses that they use to for stealth cyber attacks.
RSA Released A Report Tuesday On The Terracotta VPN Services
In the report RSA said that Terracotta uses Windows servers that belong to small businesses or organizations. Normally these businesses have a limited IT staff. The network servers were compromised and commandeered by Terracotta for their network.
RSA also discovered that Terracotta owns a few of their own servers, but most of the servers in their infrastructure belong to unsuspecting companies. The security company found Terracotta had servers in the United States, Eastern Europe, China, South Korea, and Japan. Some of the Terracotta victims include a hi-tech manufacturer, law firms, a Fortune 500 hotel chain, doctor offices, schools and universities.
According to Peter Beardmore, senior consultant for threat intelligence at RSA, there are three distinct classes of victims:
- The consumer who purchases Terracotta VPN services thinking it is a legitimate company.
- The 300 companies that have had their Windows servers compromised by Terracotta.
- The organization that APT groups target using the compromised servers.
Furthermore, Beardmore said that Terracotta uses a simple, but effective method for obtaining their servers. The group sequentially goes down the IP address until it finds a Windows server. Afterwards it uses a brute-force attack to obtain the administrator’s password. Once inside it can easily disable the Windows firewall and inject a remote Trojan. The final step is to create a new account on the server and install a windows VPN service.
What is unique about the Terracotta attacks is that no one suspects a school would be responsible for launching an advanced persistent attack on their company. Furthermore, the advanced attacks on companies are launched from legitimate IP addresses belonging to companies and organizations with a good reputation. Therefore, it makes it harder for businesses to identify their attackers.
RSA has started publishing the malicious IP address and notifying the U.S.-based victims. Many of the compromised servers have been cleaned up, but there’s a lesson to learn from this. No matter how small your company or even if you don’t consider your sever important it needs to be protected. Any unprotected Windows server can easily become a victim for Terracotta. Furthermore, all unprotected servers can be used for denial of service attacks or botnets for spam.