Chinese VPN Provider Using Malware to Expand Network
A purveyor of virtual private networks sold under multiple brand names uses malicious code to infect servers and turn them into nodes in its infrastructure, according to RSA.A Chinese virtual private network (VPN) service, dubbed "Terracotta" by security researchers, has compromised hundreds of Windows servers to use as part of its anonymizing infrastructure, providing both legitimate users and attackers with an encrypted network capable of bypassing China's Great Firewall, according to an analysis published by security company RSA on Aug. 4. The VPN service operates under different brand names within China and at least 500 of its more than 1,500 VPN servers are legitimately leased for its operations. However, more than 300 organizations have been compromised and their servers turned into part of the Terracotta infrastructure with little effort, said Kent Backman, threat intelligence analyst for RSA's FirstWatch incident response team. Organizations that have been compromised by the group include a Fortune 500 hotel chain, an engineering firm, the University of Japan, the University of Taiwan, a law firm, physician's office and a charter school, according to RSA. In every case, the organizations had an Internet-accessible Windows server that did not have a firewall turned on, had not renamed the administrator account and had a simple password, Backman said. "Most of the victims follow the same pattern," he said. "They were just not sophisticated in terms of security 101."
Many of the exit nodes for the Terracotta VPN looked different to RSA analysts: They did not have traffic patterns typical of VPN nodes and came from inside universities and businesses.