Expect the Unexpected: VPN Provider Attacks Windows Servers

by Bharat Mistry

Advanced persistent threats and targeted attacks might be a daily threat for many of us working in the information security industry today, but there’s still a great deal of awareness raising to be done in the UK. In fact, there are many smaller organisations which don’t think they have anything worth stealing, and so continue to pay only lip service to the idea of cyber defence. Well, new research unveiled at Black Hat 2015 this week speaks to both of these challenges.

Terracotta: what happened
The research in question points to a Chinese VPN company, dubbed ‘Terracotta’. It’s marketed commercially in the People’s Republic under various brands to offer users a means to bypass the censorship Great Firewall. What is not mentioned to these customers, however, is that unlike most reputable VPN providers, many of its 1,500 nodes across the globe are actually compromised servers. Terracotta has targeted at least 30 Windows servers – probably because VPN services were quicker to configure on these platforms – which belonged mainly to smaller organisations without full-time security staff.

Affected organisations apparently included universities, car manufacturers, IT resellers, law firms and even a Fortune 500 hotel chain. Crucially, the servers were internet connected but without a hardware firewall. The attackers brute forced the password on the “administrator” account, enabling them to “maliciously, efficiently and rapidly” enlist vulnerable servers to their VPN network. It’s believed doing so saved Terracotta significant costs it would otherwise have to pay out for bandwidth and other management charges.

But that’s not all. The researchers also noticed that Chinese nation state APT operatives have used at least 52 Terracotta nodes for launching attacks, including one against a large defence contractor. Some of these actors hail from a group known as ‘Shell Crew’ (aka Deep Panda) which has been linked to major attacks on healthcare providers Anthem and Premera and the Office of Personnel Management (OPM). It’s thought that using a VPN service like this helps them “obscure their origins and cover their tracks”.

What we can learn
This is probably the first time these groups have been spotted using a commercial VPN service to cover their tracks and deliver malware. But you can bet it won’t be the last. And it’s also a cautionary tale for smaller firms who don’t think they’re a target for cyber attack. Here’s what we can take away from the incident.

  • Even if you have nothing worth stealing, your servers may be targeted for other purposes, such as supporting illegal VPN nodes. This can slow down corporate bandwidth, and if malware is launched from your server, even wrongly implicate your business in follow-on cyber attacks.
  • Basic security can help fortify systems: rename default password accounts such as “administrator”, improve password strength and ensure servers are firewalled.
  • APT attackers are getting better at hiding their tracks. Targeted attacks are not easy to spot, but can be mitigated with the following measures:
  • Advanced network analysis tools like Trend Micro Deep Discovery to spot unusual behaviour.
  • Reduce number of privileged accounts and replace IT admin passwords with two-factor authentication
  • Train staff how to better spot spear phishing attacks
  • Patch critical vulnerabilities immediately to reduce attack surface
  • Draw up an incident response plan with other stakeholders and practice attack scenarios

Targeted attacks and APTs comprise some of the most dangerous threats facing UK organisations today. That’s why we’ll be discussing how to spot and mitigate such attacks at our upcoming CLOUDSEC conference in London on 17 September. We’ll have world-leading experts from the FBI, the National Crime Agency, and of course Trend Micro to share their thoughts, all under the banner Expect the Unexpected. As we’ve seen from this latest Black Hat research, this mantra should be close to the heart of any IT manager.

Click here to find out more about CLOUDSEC London.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.