Terracotta VPN Helps APT Groups Launch Attacks Around the World

Terracotta VPN

Terracotta is a VPN network of over 1500 VPN nodes around the world. The Chinese based VPN service provider has obtained their VPN nodes illegally. The company has hacked into unsuspecting companies that have inadequately protected their Windows servers. Each day new VPN nodes are added to the Terracotta network as the Chinese company enlists new victims. Furthermore, the VPN nodes aren’t made public. Therefore, only people who subscribe to Terracotta have access to these nodes.

Just recently RSA, The Security Division of EMC, discovered the Chinese-language Virtual Private Network (VPN) was publicly offering APT groups a large network of compromised servers. The hacking groups have access to legitimate IP addresses that they use to for stealth cyber attacks.

RSA Released A Report Tuesday On The Terracotta VPN Services

In the report RSA said that Terracotta uses Windows servers that belong to small businesses or organizations. Normally these businesses have a limited IT staff. The network servers were compromised and commandeered by Terracotta for their network.

RSA also discovered that Terracotta owns a few of their own servers, but most of the servers in their infrastructure belong to unsuspecting companies. The security company found Terracotta had servers in the United States, Eastern Europe, China, South Korea, and Japan. Some of the Terracotta victims include a hi-tech manufacturer, law firms, a Fortune 500 hotel chain, doctor offices, schools and universities.

According to Peter Beardmore, senior consultant for threat intelligence at RSA, there are three distinct classes of victims:

  1. The consumer who purchases Terracotta VPN services thinking it is a legitimate company.
  2. The 300 companies that have had their Windows servers compromised by Terracotta.
  3. The organization that APT groups target using the compromised servers.

Furthermore, Beardmore said that Terracotta uses a simple, but effective method for obtaining their servers. The group sequentially goes down the IP address until it finds a Windows server. Afterwards it uses a brute-force attack to obtain the administrator’s password. Once inside it can easily disable the Windows firewall and inject a remote Trojan. The final step is to create a new account on the server and install a windows VPN service.

What is unique about the Terracotta attacks is that no one suspects a school would be responsible for launching an advanced persistent attack on their company. Furthermore, the advanced attacks on companies are launched from legitimate IP addresses belonging to companies and organizations with a good reputation. Therefore, it makes it harder for businesses to identify their attackers.

RSA has started publishing the malicious IP address and notifying the U.S.-based victims. Many of the compromised servers have been cleaned up, but there’s a lesson to learn from this. No matter how small your company or even if you don’t consider your sever important it needs to be protected. Any unprotected Windows server can easily become a victim for Terracotta. Furthermore, all unprotected servers can be used for denial of service attacks or botnets for spam.

Image: pixabay.com

More about: servers, network, attacks, cyber, china, vpn

Recommended Posts | IT News

Facial Recognition

New Innovations in Facial Recognition, Software To Aid And Law

The new facial recognition software strikes fear among citizens across the world, while law enforcement and business leaders tout the advantages. Many people in the private sector are voicing concerns about invasion of privacy. Law enforcement officials are excited over the prospects of apprehending ...
Linux Hitting Car Industry

Linux Hitting Car Industry

Linux is a prime example of open-source development, which has been around for decades, has made big strides recently. It has transported itself from the official platform of geekdom to an enterprise-class operating system that will support some of a today's computing needs ...
8 New Tablets

Vendor’s Release 8 New Tablets

PC shipments declined while the tablet market has grown 47 percent. In recent years tablets have invaded every aspect of people's lives. The Los Angeles has been using tablets as part of the children's learning process for the past few years. New Tablets From Samsung, Amazon, Acer, LG, Microsoft ...
Google's Kubernetes

Google's Kubernetes to get a new Friend - Archrival Microsoft

An unlikely ally has come to join Google's Kubernetes container migration and management system and it's not just an ordinary company - it's big. Kubernetes, the open-source container-management project that Google announced in June, is gaining strong support from the tech crowd ...