A virtual private network (VPN) based in China and designed to help evade that country’s restrictive government firewall is actually supported by a network of malware-infected nodes around the globe.
The network, which RSA Research has dubbed “Terracotta” is connected to a range of commercially available VPN software programs in China and includes more than 1,500 nodes. RSA says the network may also be a tool used by sophisticated hacking crews with links to the Chinese military, including the so-called “Shell_Crew” or “DeepPanda” groups.
RSA researchers said they have observed malicious activity associated with the Terracotta VPN nodes since 2013, though the scheme may date back long before that. Those behind the VPN software appear to have taken advantage of weakly secured and Internet connected hosts at organizations around the world to build a free network to support their remote access software, according to Kent Backman, a threat intelligence analyst at RSA FirstWatch.
The infected nodes were often associated with legitimate organizations in the U.S. and elsewhere. That allowed malicious actors to piggyback on the compromised organization’s good reputation in carrying out attacks targeting other organizations, researchers said.
Among the organizations targeted were a Fortune 500 hotel chain and engineering firm, in addition to other targets: a state department of transportation, a charter school in the southwestern U.S., and so on, Backman said.
Vulnerable Windows servers that were accessible – directly or indirectly – from the Internet were a common theme.
“A common trait shared with all confirmed victims is that they had Internet-exposed Windows servers without hardware firewalls,” RSA wrote.
Brute force attacks on administrator accounts were followed by remote desktop logins and the planting of additional malicious software were common across infected systems. In at least one case, the victim was forced to upgrade their Internet connection because of traffic through the compromised system that was acting as a Terracotta VPN node.
“Generally speaking, these are servers that failed Security 101,” Backman said. “Either they were not behind a firewall, or it was a forgotten test server that was exposed to the Internet,” he said.
The VPN software in question is “white labeled” under many different brands within China. Many are associated with specific web sites and are marketed as a way to allow Chinese citizens to surf the web without the obstacle of the state firewall.
Malicious VPN networks are commonly used among criminal groups in Europe and elsewhere, said Backman. But it is unusual to find an otherwise above board VPN provider relying on malware and malicious hacks to support their product. “I’ve been studying China for 10 years and I’ve never seen something like this.”
RSA will publish indicators of compromise for the Terracotta infection and update the company’s customers. The company is encouraging organizations to check their own network logs and other sources of information for possible signs of infection.