Terracotta VPN Piggybacks On Network Of Compromised Windows Servers
APT groups use this VPN service to launch attacks against organizations around the world.
August 5, 2015
A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.
Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.
While there are some servers owned by Terracotta, most of the infrastructure consists of servers in China, South Korea, Japan, the United States, and some countries in Eastern Europe. Victims include a Fortune 500 hotel chain, a hi-tech manufacturer, a law firm, a doctor's office, school and university systems, and a county government for an unidentified U.S. state, the report found.
“While most of the Terracotta victims are smaller organizations without dedicated security staff, large organizations were not immune to exploitation by the Terracotta perpetrators,” RSA researchers wrote in the report.
There are “three classes of victims” affected by Terracotta, says Peter Beardmore, senior consultant for threat intelligence at RSA. The first class includes the consumers who purchase Terracotta thinking it is a legitimate VPN service. The second group refers to the more than 300 companies whose servers have been compromised for Terracotta's purposes, and the third group refers to the organizations the attack groups are targeting.
Read the rest of this article on Dark Reading.
About the Author
You May Also Like