Chinese VPN Used for APT: Report

Thursday, August 6, 2015 @ 12:08 PM gHale

A Chinese virtual private network (VPN) service works as a type of shield by advanced persistent threat (APT) groups to hide their activities, researchers said.

The commercial VPN service, called “Terracotta,” goes under different brands in China, said researchers at RSA.

Hacker Tool Hides in Plain Sight
Row Hammer Exploitable via JavaScript
Security Appliance Holes Fixed
Red Hat Patches Vulnerabilities

The network ends up used for anonymity, peer-to-peer (P2P) file sharing and gaming acceleration, and to bypass China’s Great Firewall’s censorship system.

One of the things that caught the attention of researchers is Terracotta is a malware-supported VPN network. Many of the service’s more than 1,500 VPN nodes are on compromised servers belonging to various organizations from all over the world.

At least 31 of the host systems appear to be Windows servers belonging to a major hotel chain, U.S. government organizations, universities, tech services providers (including government contractors), and various private firms, researchers said.

RSA believes the operators of Terracotta are targeting Windows servers because they include VPN services that can end up easily configured. In all cases, the hijacked servers were Internet-exposed devices not protected by hardware firewalls.

The Terracotta node enlistment process starts with a brute-force attack on the administrator account via the DCOM Windows Management Interface (WMI) on TCP port 135. Then, the attackers disable the firewall and enable the Telnet service. Once this occurs, they log in to the compromised system via the Remote Desktop Protocol (RDP), disable antiviruses, and install a custom variant of the Gh0st Remote Administration Tool (RAT). Finally, the VPN service operators create a new Windows account and they install Windows VPN services on the hijacked server.

In addition to Gh0st RAT, researchers found other pieces of malware on compromised servers, including the Mitozhan Trojan and the Liudoor Backdoor.

While Terracotta nodes are all over the world, the majority are in China (1,095), the United States (572), and South Korea (204).

By hacking into legitimate servers and using them as nodes, the operators of the VPN service can save money they might normally have to pay for bandwidth, researchers said.

Researchers found the VPN service also used by APT actors, including the Chinese group known as Shell Crew (Deep Panda).

In one of the attacks observed by the security firm, the attackers leveraged the VPN service in a phishing operation aimed at a defense contractor.

RSA’s report, “Terracotta VPN: Enabler of Advanced Threat Anonymity,” contains recommendations and indicators of compromise (IoC).