Terracotta: legitimate VPN or APT source

RSA today released a research report detailing their finds on what they are dubbing Terracotta. It is a series of VPN networks which do carry some significant legitimate VPN traffic to allow users inside of China to subvert the Great Firewall. However, it appears that various APT groups are also utilizing the service. Apparently calls to 1.8800free.info and 2.8800free.info are an indicator that a site has been compromised. However at this date it is difficult to find IP information for the domain or hosts on it.

The VPN service has been found to carry APT activities of Shell_Crew, DeepPanda and other APT actors to obscure the origins of the actors activity. It is also commercially marketed under several brand names in the People’s Republic of China (PRC). After sharing indicators with partners, RSA was able to identify targets of several Western governments and commercial entities. Troubling is that blocking, restricting or detecting by IP address is difficult because new nodes hosted in legitimate locations are continuously being added to the Terracotta network.

Terracotta Nodes

While some of the servers acting as Terracotta nodes are likely legitimate and paid for. The research has found a number are operating on clearly compromised devices. The legitimate nodes were identified by the large number of IP addresses in a network range and the fact that the service typically just reached out to one of those hosts no matter how many available IPs were available there.

RSA deemed another set as likely compromised because research of the organization and other services on the host showed no other indication that they would be VPN hosts. Typically compromised were Windows servers and they had the Simplified Chinese locale or Chinese language pack installed. These would be indicators of use by mainland PRC or Singapore residents.

Additionally RSA confirmed with numerous victims that the systems were compromised. Again, all were Windows servers and ranged from hotel chains, government organizations and suppliers to charter schools. All had Windows servers exposed to the Internet without hardware firewalls. Only servers with the Windows Firewall turned off were enlisted in the Terracotta network. Turning off the Windows firewall was done after compromise.

All the hosts had typically had the Administrator account brute forced via calls on port 135. They were then logged into several hours later from a common host, the Telnet service was installed and a remote login via RDP followed shortly after. Then the Windows defender was uninstalled and a RAT (Remote Administration Tool) was installed. Following this, new administrators were added to the host. Then a number of days after this, services to allow it to be used as a Terracotta node were added and testing of the node began.

 

Legitimate vs Illegitimate

RSA reviewed several legitimate PRC based VPN providers. All provided lists of their exit nodes. Given these others may block or tag the traffic coming out of them as VPN or firewall traversal sites. By enlisting legitimate businesses, Terracotta provides a valuable service to their customers in that their traffic, regardless of the intent, may appear more legitimate since it is coming from real business addresses outside of the country.

Other Indicators of Compromise

A defense contractor that RSA contacted with information about this vulnerability identified a number of web domains used in a spear-phishing attack against them.

These included:

weblogin-yahoo.com
weblogin-vxxxxxx.net
linkedinmember.com
auth-vxxxxxx.com
weblogin-live.com
lhlr120.com
www.iu-edu.us
yinquandjd.com
123.1.180.51
123.1.187.176
123.1.158.169
www.sdlyshunde.com
cnzhaopin.net
lyyxjdc.com
ssljd.com
hysxc868.com
lyshfmc.com
13563939661.com
sdjkzl.com
derongwood.com
lingxiangtgb.com
42.51.153.14
182.92.167.104
222.73.26.131
jjshang.cn
www.517js.net
ytgamevpn.com
download.vpnipv6.com
vpnipv6.com
www.173js.cn
173js.cn
pgvpn.com
two.xx33.info
www.173sock.com
www.173jiasu.cn
www.517jiasu.com
www.517jiasu.cn
173jiasu.cn
www.apvpn.com
www.txvpn.com
517vpn.com
ytgame.cn
www.ytgame.cn
517jiasu.cn
173jiasu.net
517jiasu.net
517jsq.net
xx33.info
ytjiasu.com
yueyoujsq.com
yywljsq.com
168vpn.top
168vpn.cn
173game.top
173jiasu.top
173jsq.cn
173vpn.top
33vpn.cn
513vpn.top
517jiasu.top
517jsq.cn
517vpn.top
66vpn.cn
99vpn.cn
99yueyou.top
aixlg.com
bbhlj.com
bzvpn.cn
cscjzf.com
gamevpn.cn
gjvpn.cn
hhvpn.cn
hqtfc.com
jslzl.com
klyou.top
pyvpn.cn
tnbcn.com
tyssw.com
xsjsq.com
ytgame.top
ytjiasu.cn
ytsdj.com
ytvpn.top
yueyou99.top

 

 

Leave a Reply