More Related Content
Similar to 44CON London 2015 - Inside Terracotta VPN (20)
44CON London 2015 - Inside Terracotta VPN
- 1. 1
© Copyright 2015 EMC Corporation. All rights reserved.
Inside Terracotta VPN
Enabler of Advanced Threat Anonymity
- 2. 2
© Copyright 2015 EMC Corporation. All rights reserved.
About speaker
Threat Intelligence Analyst
RSA FirstWatch
Prior: Decade plus all source, intrusion and
CIRT threat analysis
- 4. 4
© Copyright 2015 EMC Corporation. All rights reserved.
About this talk
• What is Terracotta VPN?
• Video
• How Terracotta VPN was discovered
• Two dozen+
• Month in the life of a node
• How Terracotta works
• Why the name?
• Questions (anytime) and conclusions
- 5. 5
© Copyright 2015 EMC Corporation. All rights reserved.
• VPN infrastructure/service marketed to mainland Chinese
consumers
– Multiple brands
– Advertised use-cases
• Game acceleration
• “Over the [great fire] wall”
• Appears to be operated from China
– Source of node enlistment activity
– User account authentication servers
– Web site hosting
What is Terracotta VPN?
Saves you a Google search
- 6. 6
© Copyright 2015 EMC Corporation. All rights reserved.
• Obtained most of their network of nodes throughout the world
by hacking vulnerable servers
• In addition to legitimate use-cases, Terracotta has been used by
advanced threat actors (including Shell_Crew) for anonymizing
and obscuring their attacks
• There is no evidence that the Terracotta group is tied to the
espionage-focused actors, but merely provides a service.
What is Terracotta VPN?
continued
- 7. 7
© Copyright 2015 EMC Corporation. All rights reserved.
• Paper from RSA Research released at Black Hat
– 04 August, 2015
– https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-
anonymity
• Release of paper (or reporting on paper) may have stimulated
some Terracotta actor changes
What is Terracotta VPN?
“Enabler of Advanced Threat Anonymity”
- 8. 8
© Copyright 2015 EMC Corporation. All rights reserved.
UNITED STATES
572
204
TAIWAN
THAILAND
HONG KONG
14
Terracotta VPN nodes are concentrated in
China, South Korea and the United States
© Copyright 2015 EMC Corporation. All rights reserved.
1,095
C H I N A
SOUTH KOREA
SINGAPORE7
JAPAN7
VIETNAM7
27
NETHERLANDS
4
RUSSIA
4
28
CANADA
3
MALAYSIA
3
POLAND
3
GERMANY 2
INDIA 2
INDONESIA2
LITHUANIA
2
UNITED KINGDOM
2
AUSTRALIA
1
1
FRANCE
HUNGARY
ROMANIA
KENYA
SOUTH AFRICA
1
BANGLADESH
MACAU
- 9. 9
© Copyright 2015 EMC Corporation. All rights reserved.
What is Terracotta?
Demo video: using a Terracotta brand
- 11. 11
© Copyright 2015 EMC Corporation. All rights reserved.
• Identified in ram dump: Shell_Crew/Axiom backdoor on sensitive
target web server
• Derusbi server loads a custom driver with firewall hooks, allowing it
to listen on any port, and coexist with other network services on
same port (like 80)
How Terracotta was discovered
A situation with Derusbi server backdoor
Derusbi server traffic redirection
image courtesy Novetta Threat
Research Group
- 12. 12
© Copyright 2015 EMC Corporation. All rights reserved.
– Remediate
or…
– ”intel-ate”
Cost/benefit decision on target web server
Watched actor(s) control backdoor
from legitimate organizations (not
in China) for several months
- 13. 13
© Copyright 2015 EMC Corporation. All rights reserved.
What did those legit orgs have in common?
Following the breadcrumbs
• Compromised Windows servers
• Windows RRAS feature installed, with network policy to
authenticate against RADIUS servers in China
• VPN accounts included VPN brand names….
• revealed Terracotta VPN brands…
• allowing enumeration of nodes…
• led to more victims…
- 14. 14
© Copyright 2015 EMC Corporation. All rights reserved.
• Fortune 500 hotel chain
• A department of transportation in a U.S.
state
• High tech manufacturer
• Fortune 500 engineering firm
• University in Taiwan
• University in Japan
• State university in the U.S.
• County government of a U.S. state
• Prize indemnity insurance company
• Microsoft Windows enterprise management
application developer
• Boutique IT service provider
• Charter school
• Educational service provider
• Law firm
• U.S. university-affiliated company
• Web design and SEO consultant
• Physician’s office (x2)
• Unified Communications as a Service
(UCaaS) provider
• Business-to-Consumer (B2C) applications
developer
• Public convention center in a U.S. city
• Wireless test and measurement solutions
provider
• IT Value Added Reseller (VAR) and services
provider
• IT solutions provider/contractor for federal
and local government organizations
• Furniture company
• Computer store
• Cloud service provider
• More to come….
Orgs with Terracotta- enlisted servers
- 15. 15
© Copyright 2015 EMC Corporation. All rights reserved.
A month in the life of a Terracotta VPN node
Unique successfully authenticated connections 118,948
Unique client IP addresses 9,053
Client IP Addresses in mainland PRC 8,903 (98%)
Client IP addresses not in mainland PRC 150 (2%)
Unique client account names 723 (most connections used trial accounts)
Unique client host names 3,640
- 16. 16
© Copyright 2015 EMC Corporation. All rights reserved.
• VPN logs show special Terracotta-universal accounts—Terracotta client unneeded
• Wang Jia “testwj” account was one, always the first one and used exclusively to
test victim server configuration immediately following successful compromise
• Some other VIP accounts like “dgweikunping” revealed their original locations by
occasionally connecting with same computer name from home base, but usually
via “VPN chain”
Terracotta VIPs
Hook a bruddah up
- 17. 17
© Copyright 2015 EMC Corporation. All rights reserved.
Terracotta VIPs
VPN Chaining
Actor
VPN node 1
VPN node 2
target
USA
- 18. 18
© Copyright 2015 EMC Corporation. All rights reserved.
Terracotta VIP accounts
Hook a bruddah up
Charliewcs
Shenzen
Dgweikunping
Dongguan
Wang Jia (testwj)
Dongguan
TXshy
Shanghai
qqq.com
Wuhan
- 19. 19
© Copyright 2015 EMC Corporation. All rights reserved.
Terracotta node enlistment process
Victims all had
Internet-exposed
Windows servers
TCP port 135 and/or
3389 open
Terracotta may target
vulnerable Windows
servers because this
platform includes VPN
services that can be
configured in a matter
of minutes
Base host – WEI-270FBC26C38
3. RDP login
4. Install RAT(s) after disabling
antivirus
5. Create new Windows account
6. Install Windows VPN services
1. “Administrator” brute force
password attack
2. Disable Windows firewall
“testwj” account
authentication
Reconnaissance host
US organization
Windows server
[victim]
1.8800free.info
points to
PRC Radius Server(1)
2.8800free.info
points to
PRC Radius Server(2)
Wang Jia (testwj)
Dongguan
- 20. 20
© Copyright 2015 EMC Corporation. All rights reserved.
How Terracotta VPN Works
Internet
Username
••••••
Terracotta User
User browses to
Terracotta VPN
website
User downloads
Client SW,
Establishes
account
User logs into
client Software /
Authenticates
Client Software
updates list of
Nodes
User selects VPN
node, retrieves
encoded
credentials from
cloud, initiates
connection
VPN Node
authenticates
User
Auth.xxxxx.com
Alibaba Cloud
1.8800free.info
points to
PRC Radius Server(1)
2.8800free.info
points to
PRC Radius Server(2)
(IAS)
Terracotta VPN Node
User can connect to
public internet
destination through
Terracotta network
Tunnel is
established,
Auth.xxxxx.com
Alibaba Cloud
3.8800free.info
points to
PRC Radius Server(3)
(04-Aug-15)
two.x33.info
one.x33.info
- 21. 21
© Copyright 2015 EMC Corporation. All rights reserved.
China cracks down on VPN’s in ‘15
But not you, Terracotta…you’re good
- 22. 22
© Copyright 2015 EMC Corporation. All rights reserved.
• Corporate enterprise VPNs not blocked
• OpenVPN protocol is blocked
• Windows built-in VPN protocols not generally blocked
– PPTP: Point to Point Tunneling Protocol
– L2TP: Layer 2 Tunneling Protocol
– SSTP: Secure Socket Tunneling Protocol
Are all VPN’s blocked in China?
All VPN’s are not created equal
- 23. 23
© Copyright 2015 EMC Corporation. All rights reserved.
News flash
By default, all Windows VPN protocols use MS-CHAPv2 for authentication
- 24. 24
© Copyright 2015 EMC Corporation. All rights reserved.
But it gets worse
Potential eavesdroppers don’t need to crack anything for Terracotta
1.8800free.info
2.8800free.info
Terracotta VPN Node
3.8800free.info
U: 20xxx_14369884_37830673_xxxvpn
P: xxxjsqcom
RSA Research has confirmed that
Terracotta nodes send user account
credentials to China in the clear
- 25. 25
© Copyright 2015 EMC Corporation. All rights reserved.
RADIUS creds in the clear
We don’t need no stinking Chaprack to decrypt VPN traffic
- 27. 27
© Copyright 2015 EMC Corporation. All rights reserved.
• Iron pots
– don’t crack
– water tight
Why the name “Terracotta VPN”
• Terracotta pots
– Easily cracked
– Porous
- 28. 28
© Copyright 2015 EMC Corporation. All rights reserved.
Questions?
Also, RTFP:
https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity
Send me an email
“Lots of Pots” CC by Jonathan Billinger
- 29. EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.