Chinese VPN Provider Using Malware to Expand Network

A purveyor of virtual private networks sold under multiple brand names uses malicious code to infect servers and turn them into nodes in its infrastructure, according to RSA.

VPN security

A Chinese virtual private network (VPN) service, dubbed "Terracotta" by security researchers, has compromised hundreds of Windows servers to use as part of its anonymizing infrastructure, providing both legitimate users and attackers with an encrypted network capable of bypassing China's Great Firewall, according to an analysis published by security company RSA on Aug. 4.

The VPN service operates under different brand names within China and at least 500 of its more than 1,500 VPN servers are legitimately leased for its operations. However, more than 300 organizations have been compromised and their servers turned into part of the Terracotta infrastructure with little effort, said Kent Backman, threat intelligence analyst for RSA's FirstWatch incident response team.

Organizations that have been compromised by the group include a Fortune 500 hotel chain, an engineering firm, the University of Japan, the University of Taiwan, a law firm, physician's office and a charter school, according to RSA. In every case, the organizations had an Internet-accessible Windows server that did not have a firewall turned on, had not renamed the administrator account and had a simple password, Backman said.

"Most of the victims follow the same pattern," he said. "They were just not sophisticated in terms of security 101."

Many of the exit nodes for the Terracotta VPN looked different to RSA analysts: They did not have traffic patterns typical of VPN nodes and came from inside universities and businesses.

A virtual private network consists of client software that authenticates itself to the service and VPN nodes to route traffic. VPN services encrypt traffic from the client, passing it through one or more of the node servers, and finally sending the data to its destination through an exit node. To the targeted network, the data appears to come from the exit node. The peer-to-peer TOR network is perhaps the most famous virtual-private and anonymizing network.

Legitimate users can bypass China's national Internet filtering, the so-called Great Firewall, to visit otherwise blocked sites. In addition, the network is able to compress traffic, which speeds up connections, an advantage for gaming, Backman said.

"It seems likely that the users are regular netizens," he said. "The Great Firewall makes a market for Great Firewall bypassing technology, so the demand in China for anonymity software blows away everyone else."

The VPN is also used by groups of sophisticated attackers targeting companies in Western nations—often referred to as advanced persistent threats (APTs). The VPN allows such traffic to appear to come from a domestic organization, when in reality the company or university is inadvertently hosting a Terracotta node on a compromised server.

"To a potential APT victim, traffic emanating from the Terracotta node could appear as legitimate traffic from a legitimate domestic organization, when in fact that organization is a Terracotta victim with an infected server," RSA analysts stated in the blog post.

RSA has observed the Terracotta VPN being used in phishing attacks and by an APT group known as Shell_Crew, which is also known as Deep Panda.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...