Black Hat 2015

Terracotta VPN hijacks servers for commercial gain

The Terracotta commercial VPN, marketed in China under a number of different brand names, uses hacked servers to power its network

network monitoring

Black Hat 2015

Show More

LAS VEGAS - The Terracotta commercial VPN, marketed in China under a number of different brand names, uses hacked servers to power its network and the network has become popular with advanced persistent threat groups, according to research released today by RSA Security.

"We don't usually see commercial networks hacking into servers," said Peter Beardmore, RSA's senior consultant for threat intelligence marketing.

Terracotta also stands out because it keeps adding new IP addresses, and not publishing the data, he added. This is one of the things that makes it popular with cybercriminals.

"Most commercial VPN services publish their IP addresses," Beardmore said. "And enterprises and governments can restrict access from those IP addresses."

As of publication, RSA has not released the brand names under which Terracotta is marketed in China because the investigation is still ongoing.

Terracotta is not one of the major players in the VPN space, he said, but does have a reasonable amount of consumer traffic for a commercial services.

The way it works is that VPN customers get an active list of entry point addresses that get them into the network. But the exit nodes change quickly and belong to otherwise legitimate organizations.

This is probably not particularly useful to legitimate consumer users of the VPN, though Beardmore said that it could, conceivably, help avoid Chinese government censorship.

"But it's purely speculation on our part," he said. "The main benefit is operational."

It can get quite pricey to rent servers legitimately, and pay for bandwidth, he said.

"It would appear that by just hacking these devices and stealing the bandwidth and computing power, there's considerable cost savings involved," he said.

To protect their servers from being hijacked by Terracotta, Beardmore said that even the most minimal security precautions would help.

"These nodes have a few things in common," he said. "None of them appear to be protected by an actual hardware firewall. And none of them actually had the internal Windows firewall capability enabled on the server itself."

He said that RSA has been contacting the victims involved, who are located around the world. Many are cooperating with the investigation, he added.

Aside from the legitimate customers who use Terracotta without knowing about how it operates, the network is also popular with known groups of advanced persistent threat actors who target government agencies, defense contractors and large enterprises.

These groups might just be taking opportunistic advantage of the Terracotta network, he added.

"They might know each other and know what's going on, but we don't believe that they're connected," he said.

He also pointed out that hacking servers and stealing bandwidth is not typical behavior for a commercial Chinese VPN.

"It's not the type of activity we witnessed from China previously," he said, "though we have seen this kind of criminal VPN activity from Eastern Europe and other parts of the globe."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)