44CON London 2015 - Inside Terracotta VPN

1
© Copyright 2015 EMC Corporation. All rights reserved.
Inside Terracotta VPN
Enabler of Advanced Threat Anonymity

2
About speaker
Threat Intelligence Analyst
RSA FirstWatch
Prior: Decade plus all source, intrusion and
CIRT threat analysis

3
FirstWatch Global Footprint

4
About this talk
•  What is Terracotta VPN?
•  Video
•  How Terracotta VPN was discovered
•  Two dozen+
•  Month in the life of a node
•  How Terracotta works
•  Why the name?
•  Questions (anytime) and conclusions

5
•  VPN infrastructure/service marketed to mainland Chinese
consumers
–  Multiple brands
–  Advertised use-cases
•  Game acceleration
•  “Over the [great fire] wall”
•  Appears to be operated from China
–  Source of node enlistment activity
–  User account authentication servers
–  Web site hosting
What is Terracotta VPN?
Saves you a Google search

6
•  Obtained most of their network of nodes throughout the world
by hacking vulnerable servers
•  In addition to legitimate use-cases, Terracotta has been used by
advanced threat actors (including Shell_Crew) for anonymizing
and obscuring their attacks
•  There is no evidence that the Terracotta group is tied to the
espionage-focused actors, but merely provides a service.
continued

7
•  Paper from RSA Research released at Black Hat
–  04 August, 2015
–  https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-
anonymity
•  Release of paper (or reporting on paper) may have stimulated
some Terracotta actor changes
“Enabler of Advanced Threat Anonymity”

8
UNITED STATES
572
204
TAIWAN
THAILAND
HONG KONG
14
Terracotta VPN nodes are concentrated in
China, South Korea and the United States
1,095
C H I N A
SOUTH KOREA
SINGAPORE7
JAPAN7
VIETNAM7
27
NETHERLANDS
4
RUSSIA
4
28
CANADA
3
MALAYSIA
3
POLAND
3
GERMANY 2
INDIA 2
INDONESIA2
LITHUANIA
2
UNITED KINGDOM
2
AUSTRALIA
1
1
FRANCE
HUNGARY
ROMANIA
KENYA
SOUTH AFRICA
1
BANGLADESH
MACAU

9
What is Terracotta?
Demo video: using a Terracotta brand

10

11
•  Identified in ram dump: Shell_Crew/Axiom backdoor on sensitive
target web server
•  Derusbi server loads a custom driver with firewall hooks, allowing it
to listen on any port, and coexist with other network services on
same port (like 80)
How Terracotta was discovered
A situation with Derusbi server backdoor
Derusbi server traffic redirection
image courtesy Novetta Threat
Research Group

12
–  Remediate
or…
–  ”intel-ate”
Cost/benefit decision on target web server
Watched actor(s) control backdoor
from legitimate organizations (not
in China) for several months

13
What did those legit orgs have in common?
Following the breadcrumbs
•  Compromised Windows servers
•  Windows RRAS feature installed, with network policy to
authenticate against RADIUS servers in China
•  VPN accounts included VPN brand names….
•  revealed Terracotta VPN brands…
•  allowing enumeration of nodes…
•  led to more victims…

14
•  Fortune 500 hotel chain
•  A department of transportation in a U.S.
state
•  High tech manufacturer
•  Fortune 500 engineering firm
•  University in Taiwan
•  University in Japan
•  State university in the U.S.
•  County government of a U.S. state
•  Prize indemnity insurance company
•  Microsoft Windows enterprise management
application developer
•  Boutique IT service provider
•  Charter school
•  Educational service provider
•  Law firm
•  U.S. university-affiliated company
•  Web design and SEO consultant
•  Physician’s office (x2)
•  Unified Communications as a Service
(UCaaS) provider
•  Business-to-Consumer (B2C) applications
developer
•  Public convention center in a U.S. city
•  Wireless test and measurement solutions
provider
•  IT Value Added Reseller (VAR) and services
provider
•  IT solutions provider/contractor for federal
and local government organizations
•  Furniture company
•  Computer store
•  Cloud service provider
•  More to come….
Orgs with Terracotta- enlisted servers

15
A month in the life of a Terracotta VPN node
Unique successfully authenticated connections 118,948
Unique client IP addresses 9,053
Client IP Addresses in mainland PRC 8,903 (98%)
Client IP addresses not in mainland PRC 150 (2%)
Unique client account names 723 (most connections used trial accounts)
Unique client host names 3,640

16
•  VPN logs show special Terracotta-universal accounts—Terracotta client unneeded
•  Wang Jia “testwj” account was one, always the first one and used exclusively to
test victim server configuration immediately following successful compromise
•  Some other VIP accounts like “dgweikunping” revealed their original locations by
occasionally connecting with same computer name from home base, but usually
via “VPN chain”
Terracotta VIPs
Hook a bruddah up

17
Terracotta VIPs
VPN Chaining
Actor
VPN node 1
VPN node 2
target
USA

18
Terracotta VIP accounts
Hook a bruddah up
Charliewcs
Shenzen
Dgweikunping
Dongguan
Wang Jia (testwj)
Dongguan
TXshy
Shanghai
qqq.com
Wuhan

19
Terracotta node enlistment process
Victims all had
Internet-exposed
Windows servers
TCP port 135 and/or
3389 open
Terracotta may target
vulnerable Windows
servers because this
platform includes VPN
services that can be
configured in a matter
of minutes
Base host – WEI-270FBC26C38
3. RDP login
4. Install RAT(s) after disabling
antivirus
5. Create new Windows account
6. Install Windows VPN services
1. “Administrator” brute force
password attack
2. Disable Windows firewall
“testwj” account
authentication
Reconnaissance host
US organization
Windows server
[victim]
1.8800free.info
points to
PRC Radius Server(1)
2.8800free.info
points to
Wang Jia (testwj)
Dongguan

20
How Terracotta VPN Works
Internet
Username
••••••
Terracotta User
User browses to
Terracotta VPN
website
User downloads
Client SW,
Establishes
account
User logs into
client Software /
Authenticates
Client Software
updates list of
Nodes
User selects VPN
node, retrieves
encoded
credentials from
cloud, initiates
connection
VPN Node
authenticates
User
Auth.xxxxx.com
Alibaba Cloud
1.8800free.info
points to
2.8800free.info
points to
(IAS)
Terracotta VPN Node
User can connect to
public internet
destination through
Terracotta network
Tunnel is
established,
Auth.xxxxx.com
Alibaba Cloud
3.8800free.info
points to
(04-Aug-15)
two.x33.info
one.x33.info

21
China cracks down on VPN’s in ‘15
But not you, Terracotta…you’re good

22
•  Corporate enterprise VPNs not blocked
•  OpenVPN protocol is blocked
•  Windows built-in VPN protocols not generally blocked
–  PPTP: Point to Point Tunneling Protocol
–  L2TP: Layer 2 Tunneling Protocol
–  SSTP: Secure Socket Tunneling Protocol
Are all VPN’s blocked in China?
All VPN’s are not created equal

23
News flash
By default, all Windows VPN protocols use MS-CHAPv2 for authentication

24
But it gets worse
Potential eavesdroppers don’t need to crack anything for Terracotta
1.8800free.info
2.8800free.info
Terracotta VPN Node
3.8800free.info
U: 20xxx_14369884_37830673_xxxvpn
P: xxxjsqcom
RSA Research has confirmed that
Terracotta nodes send user account
credentials to China in the clear

25
RADIUS creds in the clear
We don’t need no stinking Chaprack to decrypt VPN traffic

26

27
•  Iron pots
–  don’t crack
–  water tight
Why the name “Terracotta VPN”
•  Terracotta pots
–  Easily cracked
–  Porous

28
Questions?
Also, RTFP:
https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity
Send me an email
“Lots of Pots” CC by Jonathan Billinger

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

44CON London 2015 - Inside Terracotta VPN

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to 44CON London 2015 - Inside Terracotta VPN

Similar to 44CON London 2015 - Inside Terracotta VPN (20)

More from 44CON

More from 44CON (20)

Recently uploaded

Recently uploaded (20)

44CON London 2015 - Inside Terracotta VPN