Chinese VPN Becomes International Botnet
Researchers have revealed that a commercial VPN provider based in China has been hacking legitimate Windows-based servers from around the world before proceeding to add them to its own network of over 1,500 servers.
Malicious hacker groups are employing cunning new ways to launch cyber-attacks. Unveiling their findings at the Black Hat Conference in Las Vegas, security professionals at RSA Research have made a startling discovery: a commercial virtual private network (VPN) service in China dubbed ‘Terracotta’ has over 1500 VPN nodes that are predominantly obtained by hackers who hijack vulnerable Windows servers owned by legitimate organizations, RSA researchers revealed.
Terracotta stands out among other VPN providers because it primarily originates in China. Researchers at RSA say they’ve discovered and identified a cluster of Chinese VPN servers marketed to the local population of gamers and users looking to circumvent the Chinese Firewall, but also act as an active launch-pad for triggering cyber-attacks on foreign organizations and governments.
The team of researchers have discovered plenty of advanced persistent threat (APT) groups using the same VPN – Terracotta.
“What makes Terracotta notable from other similar VPN networks is that it originates in China, and (in addition to carrying legitimate and potentially illegitimate traffic) it is being used to anonymize and obfuscate APT activity from Threat Actor groups (including Shell_Crew / Deep Panda),” RSA notes.
Here’s how the hijack unfolds:
- An attacker finds a vulnerable Windows server as a target.
- A brute-force attack is typically used to crack the administrator password of the server.
- The firewall is now disabled by the attacker and antimalware controls and features are also disabled.
- A Trojan is injected and can be remotely accessed.
- A new account is set up and the Windows VPN service is installed within the server, making the hacked server a part of the wider Terracotta VPN network.
“Often cyber security practitioners in large organizations (likely APT targets) will restrict or block known IP addresses of commercial VPN networks. The APT actors utilizing the Terracotta network have effectively overcome this line of defense because Terracotta’s practices are fundamentally different from legitimate commercial VPN networks,” RSA adds.
“To a potential APT victim, traffic emanating from the Terracotta node could appear as legitimate traffic from a legitimate domestic organization, when in a fact that organization is a Terracotta victim with an infected server.”
The research points to a case of ‘Compromised Dedicated Servers’ that are further detailed here. Compromised nodes are currently located in countries such as South Korea, Russia, Canada, Hong Kong and here at home in the United States. Hijacked servers have been discovered at a wide range of organizations including law firms, tech companies, schools and universities, a county government of a U.S. State, a Fortune 500 hotel chain and even a doctor’s office.
The full RSA report is available to download here.
Image from Shutterstock