A People’s Republic of China (PRC)-based VPN operation has been uncovered that maliciously, efficiently and rapidly enlists vulnerable servers around the world.
RSA Research published the report on the network, known as “Terracotta.” While likely unaffiliated, it’s being used as a launch platform for APT actors, including the well-known Shell_Crew/DeepPanda group. It obscures the origins of the threat actors’ malicious activities and is commercially marketed in China under several different brand names.
RSA explained that Terracotta’s worldwide network of 1,500+ VPN nodes are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victims’ knowledge or permission. Notably, it is the first time RSA Research has seen Shell_Crew/DeepPanda and other similar APT actors using vulnerable networks for anonymization and obfuscation—including some nation-state sponsored campaign activity.
“Often cybersecurity practitioners in large organizations (likely APT targets) will restrict or block known IP addresses of commercial VPN networks,” RSA said in a blog. “The APT actors utilizing the Terracotta network have effectively overcome this line of defense, because Terracotta’s practices are fundamentally different from legitimate commercial VPN networks.”
Specifically, Terracotta is a commercial VPN service, marketed in China under several different brands. Its primary commercial use-cases include Great-Firewall traversal and user anonymization—which can be used for legitimate reasons by political dissidents and the like. But illegal activity likely represents a strong revenue stream for the company.
“Similar services are widely marketed online in China at low monthly rates (Terracotta rates are approximately $3 month),” RSA said. “Terracotta’s suspected illegal enlistment of its VPN nodes appears to be merely a cost-savings method. However, these methods potentially result in tangential benefits to APT actors.”
To a potential APT victim, traffic emanating from the Terracotta node could appear as legitimate traffic from a legitimate domestic organization, when in fact that organization is a Terracotta victim with an infected server.
“There appears to be legitimate users and legitimate traffic traversing the network,” explained RSA. “The co-mingling with legitimate traffic may also serve to help further obfuscate APT traffic.”