RSA today released a research report detailing their finds on what they are dubbing Terracotta. It is a series of VPN networks which do carry some significant legitimate VPN traffic to allow users inside of China to subvert the Great Firewall. However, it appears that various APT groups are also utilizing the service. Apparently calls to 1.8800free.info and 2.8800free.info are an indicator that a site has been compromised. However at this date it is difficult to find IP information for the domain or hosts on it.
The VPN service has been found to carry APT activities of Shell_Crew, DeepPanda and other APT actors to obscure the origins of the actors activity. It is also commercially marketed under several brand names in the People’s Republic of China (PRC). After sharing indicators with partners, RSA was able to identify targets of several Western governments and commercial entities. Troubling is that blocking, restricting or detecting by IP address is difficult because new nodes hosted in legitimate locations are continuously being added to the Terracotta network.
While some of the servers acting as Terracotta nodes are likely legitimate and paid for. The research has found a number are operating on clearly compromised devices. The legitimate nodes were identified by the large number of IP addresses in a network range and the fact that the service typically just reached out to one of those hosts no matter how many available IPs were available there.
RSA deemed another set as likely compromised because research of the organization and other services on the host showed no other indication that they would be VPN hosts. Typically compromised were Windows servers and they had the Simplified Chinese locale or Chinese language pack installed. These would be indicators of use by mainland PRC or Singapore residents.
Additionally RSA confirmed with numerous victims that the systems were compromised. Again, all were Windows servers and ranged from hotel chains, government organizations and suppliers to charter schools. All had Windows servers exposed to the Internet without hardware firewalls. Only servers with the Windows Firewall turned off were enlisted in the Terracotta network. Turning off the Windows firewall was done after compromise.
All the hosts had typically had the Administrator account brute forced via calls on port 135. They were then logged into several hours later from a common host, the Telnet service was installed and a remote login via RDP followed shortly after. Then the Windows defender was uninstalled and a RAT (Remote Administration Tool) was installed. Following this, new administrators were added to the host. Then a number of days after this, services to allow it to be used as a Terracotta node were added and testing of the node began.
Legitimate vs Illegitimate
RSA reviewed several legitimate PRC based VPN providers. All provided lists of their exit nodes. Given these others may block or tag the traffic coming out of them as VPN or firewall traversal sites. By enlisting legitimate businesses, Terracotta provides a valuable service to their customers in that their traffic, regardless of the intent, may appear more legitimate since it is coming from real business addresses outside of the country.
Other Indicators of Compromise
A defense contractor that RSA contacted with information about this vulnerability identified a number of web domains used in a spear-phishing attack against them.