44con london 2015 - inside terracotta vpn

1 © Copyright 2015 EMC Corporation. All rights reserved.

Inside Terracotta VPN Enabler of Advanced Threat Anonymity


About speaker Threat Intelligence Analyst RSA FirstWatch

Prior: Decade plus all source, intrusion and CIRT threat analysis


FirstWatch Global Footprint


About this talk •  What is Terracotta VPN?

•  Video

•  How Terracotta VPN was discovered

•  Two dozen+

•  Month in the life of a node

•  How Terracotta works

•  Why the name?

•  Questions (anytime) and conclusions


•  VPN infrastructure/service marketed to mainland Chinese consumers –  Multiple brands –  Advertised use-cases

•  Game acceleration •  “Over the [great fire] wall”

•  Appears to be operated from China –  Source of node enlistment activity –  User account authentication servers –  Web site hosting

What is Terracotta VPN? Saves you a Google search


•  Obtained most of their network of nodes throughout the world by hacking vulnerable servers

•  In addition to legitimate use-cases, Terracotta has been used by advanced threat actors (including Shell_Crew) for anonymizing and obscuring their attacks

•  There is no evidence that the Terracotta group is tied to the espionage-focused actors, but merely provides a service.

What is Terracotta VPN? continued


•  Paper from RSA Research released at Black Hat –  04 August, 2015 –  https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-

anonymity

•  Release of paper (or reporting on paper) may have stimulated some Terracotta actor changes

What is Terracotta VPN? “Enabler of Advanced Threat Anonymity”


UNITED STATES

572

204

TAIWAN

THAILAND

HONG KONG

14

Terracotta VPN nodes are concentrated in China, South Korea and the United States

© Copyright 2015 EMC Corporation. All rights reserved.

1,095 C H I N A

SOUTH KOREA

SINGAPORE 7

JAPAN 7

VIETNAM 727

NETHERLANDS 4

RUSSIA

4

28

CANADA

3

MALAYSIA 3

POLAND

3

GERMANY 2

INDIA 2

INDONESIA 2

LITHUANIA

2

UNITED KINGDOM

2

AUSTRALIA

1

1

FRANCE

HUNGARY

ROMANIA

KENYA

SOUTH AFRICA

1

BANGLADESH

MACAU


What is Terracotta? Demo video: using a Terracotta brand


•  Identified in ram dump: Shell_Crew/Axiom backdoor on sensitive target web server

•  Derusbi server loads a custom driver with firewall hooks, allowing it to listen on any port, and coexist with other network services on same port (like 80)

How Terracotta was discovered A situation with Derusbi server backdoor

Derusbi server traffic redirection image courtesy Novetta Threat Research Group


–  Remediate

or…

–  ”intel-ate”

Cost/benefit decision on target web server

Watched actor(s) control backdoor from legitimate organizations (not in China) for several months


What did those legit orgs have in common? Following the breadcrumbs

•  Compromised Windows servers

•  Windows RRAS feature installed, with network policy to authenticate against RADIUS servers in China

•  VPN accounts included VPN brand names….

•  revealed Terracotta VPN brands…

•  allowing enumeration of nodes…

•  led to more victims…


•  Fortune 500 hotel chain

•  A department of transportation in a U.S. state

•  High tech manufacturer

•  Fortune 500 engineering firm

•  University in Taiwan

•  University in Japan

•  State university in the U.S.

•  County government of a U.S. state

•  Prize indemnity insurance company

•  Microsoft Windows enterprise management application developer

•  Boutique IT service provider

•  Charter school

•  Educational service provider

•  Law firm

•  U.S. university-affiliated company

•  Web design and SEO consultant

•  Physician’s office (x2)

•  Unified Communications as a Service (UCaaS) provider

•  Business-to-Consumer (B2C) applications developer

•  Public convention center in a U.S. city

•  Wireless test and measurement solutions provider

•  IT Value Added Reseller (VAR) and services provider

•  IT solutions provider/contractor for federal and local government organizations

•  Furniture company

•  Computer store

•  Cloud service provider

•  More to come….

Orgs with Terracotta- enlisted servers


A month in the life of a Terracotta VPN node

Unique successfully authenticated connections 118,948

Unique client IP addresses 9,053

Client IP Addresses in mainland PRC 8,903 (98%)

Client IP addresses not in mainland PRC 150 (2%)

Unique client account names 723 (most connections used trial accounts)

Unique client host names 3,640


•  VPN logs show special Terracotta-universal accounts—Terracotta client unneeded

•  Wang Jia “testwj” account was one, always the first one and used exclusively to test victim server configuration immediately following successful compromise

•  Some other VIP accounts like “dgweikunping” revealed their original locations by occasionally connecting with same computer name from home base, but usually via “VPN chain”

Terracotta VIPs Hook a bruddah up


Terracotta VIPs VPN Chaining

Actor

VPN node 1

VPN node 2

target

USA


Terracotta VIP accounts Hook a bruddah up

Charliewcs Shenzen

Dgweikunping Dongguan

Wang Jia (testwj) Dongguan

TXshy Shanghai

qqq.com Wuhan


Terracotta node enlistment process

Victims all had Internet-exposed Windows servers TCP port 135 and/or 3389 open Terracotta may target vulnerable Windows servers because this platform includes VPN services that can be configured in a matter of minutes

Base host – WEI-270FBC26C38

3. RDP login

4. Install RAT(s) after disabling antivirus

5. Create new Windows account

6. Install Windows VPN services

1. “Administrator” brute force password attack

2. Disable Windows firewall

“testwj” account authentication

Reconnaissance host

US organization Windows server [victim]

1.8800free.info points to

PRC Radius Server(1)



Wang Jia (testwj) Dongguan


How Terracotta VPN Works

Internet

Username ••••••

Terracotta User

User browses to Terracotta VPN

website

User downloads Client SW, Establishes

account

User logs into client Software /

Authenticates

Client Software updates list of

Nodes

User selects VPN node, retrieves

encoded credentials from cloud, initiates

connection

VPN Node authenticates

User

Auth.xxxxx.com Alibaba Cloud



2.8800free.info points to PRC Radius Server(2)

(IAS)

Terracotta VPN Node

User can connect to public internet

destination through Terracotta network

Tunnel is established,

Auth.xxxxx.com Alibaba Cloud

3.8800free.info points to PRC Radius Server(3)

(04-Aug-15)

two.x33.info

one.x33.info


China cracks down on VPN’s in ‘15 But not you, Terracotta…you’re good


•  Corporate enterprise VPNs not blocked

•  OpenVPN protocol is blocked

•  Windows built-in VPN protocols not generally blocked –  PPTP: Point to Point Tunneling Protocol –  L2TP: Layer 2 Tunneling Protocol –  SSTP: Secure Socket Tunneling Protocol

Are all VPN’s blocked in China? All VPN’s are not created equal


News flash By default, all Windows VPN protocols use MS-CHAPv2 for authentication


But it gets worse Potential eavesdroppers don’t need to crack anything for Terracotta

1.8800free.info

2.8800free.info

Terracotta VPN Node

3.8800free.info

U: 20xxx_14369884_37830673_xxxvpn

P: xxxjsqcom

RSA Research has confirmed that Terracotta nodes send user account credentials to China in the clear


RADIUS creds in the clear We don’t need no stinking Chaprack to decrypt VPN traffic


•  Iron pots –  don’t crack –  water tight

Why the name “Terracotta VPN”

•  Terracotta pots –  Easily cracked –  Porous


Questions? Also, RTFP: https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity Send me an email

“Lots of Pots” CC by Jonathan Billinger

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

44con london 2015 - inside terracotta vpn

Technology