44CON LONDON 2015

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.

The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew (Google RSA Shell_Crew for details) use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world. While RSA has yet to release the paper to the public, an earlier version of Inside Terracotta VPN was presented to Microsoft’s invitation-only Digital Crimes Consortium (DCC 2105) conference in Miami. This presenter will share with the 44CON London audience otherwise non-public information previously restricted to law enforcement on how this was discovered, and other stuff not appearing in the paper to be released by RSA (this summer).