44con london 2015 - inside terracotta vpn
TRANSCRIPT
1 © Copyright 2015 EMC Corporation. All rights reserved.
Inside Terracotta VPN Enabler of Advanced Threat Anonymity
2 © Copyright 2015 EMC Corporation. All rights reserved.
About speaker Threat Intelligence Analyst RSA FirstWatch
Prior: Decade plus all source, intrusion and CIRT threat analysis
3 © Copyright 2015 EMC Corporation. All rights reserved.
FirstWatch Global Footprint
4 © Copyright 2015 EMC Corporation. All rights reserved.
About this talk • What is Terracotta VPN?
• Video
• How Terracotta VPN was discovered
• Two dozen+
• Month in the life of a node
• How Terracotta works
• Why the name?
• Questions (anytime) and conclusions
5 © Copyright 2015 EMC Corporation. All rights reserved.
• VPN infrastructure/service marketed to mainland Chinese consumers – Multiple brands – Advertised use-cases
• Game acceleration • “Over the [great fire] wall”
• Appears to be operated from China – Source of node enlistment activity – User account authentication servers – Web site hosting
What is Terracotta VPN? Saves you a Google search
6 © Copyright 2015 EMC Corporation. All rights reserved.
• Obtained most of their network of nodes throughout the world by hacking vulnerable servers
• In addition to legitimate use-cases, Terracotta has been used by advanced threat actors (including Shell_Crew) for anonymizing and obscuring their attacks
• There is no evidence that the Terracotta group is tied to the espionage-focused actors, but merely provides a service.
What is Terracotta VPN? continued
7 © Copyright 2015 EMC Corporation. All rights reserved.
• Paper from RSA Research released at Black Hat – 04 August, 2015 – https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-
anonymity
• Release of paper (or reporting on paper) may have stimulated some Terracotta actor changes
What is Terracotta VPN? “Enabler of Advanced Threat Anonymity”
8 © Copyright 2015 EMC Corporation. All rights reserved.
UNITED STATES
572
204
TAIWAN
THAILAND
HONG KONG
14
Terracotta VPN nodes are concentrated in China, South Korea and the United States
© Copyright 2015 EMC Corporation. All rights reserved.
1,095 C H I N A
SOUTH KOREA
SINGAPORE 7
JAPAN 7
VIETNAM 727
NETHERLANDS 4
RUSSIA
4
28
CANADA
3
MALAYSIA 3
POLAND
3
GERMANY 2
INDIA 2
INDONESIA 2
LITHUANIA
2
UNITED KINGDOM
2
AUSTRALIA
1
1
FRANCE
HUNGARY
ROMANIA
KENYA
SOUTH AFRICA
1
BANGLADESH
MACAU
9 © Copyright 2015 EMC Corporation. All rights reserved.
What is Terracotta? Demo video: using a Terracotta brand
10 © Copyright 2015 EMC Corporation. All rights reserved.
11 © Copyright 2015 EMC Corporation. All rights reserved.
• Identified in ram dump: Shell_Crew/Axiom backdoor on sensitive target web server
• Derusbi server loads a custom driver with firewall hooks, allowing it to listen on any port, and coexist with other network services on same port (like 80)
How Terracotta was discovered A situation with Derusbi server backdoor
Derusbi server traffic redirection image courtesy Novetta Threat Research Group
12 © Copyright 2015 EMC Corporation. All rights reserved.
– Remediate
or…
– ”intel-ate”
Cost/benefit decision on target web server
Watched actor(s) control backdoor from legitimate organizations (not in China) for several months
13 © Copyright 2015 EMC Corporation. All rights reserved.
What did those legit orgs have in common? Following the breadcrumbs
• Compromised Windows servers
• Windows RRAS feature installed, with network policy to authenticate against RADIUS servers in China
• VPN accounts included VPN brand names….
• revealed Terracotta VPN brands…
• allowing enumeration of nodes…
• led to more victims…
14 © Copyright 2015 EMC Corporation. All rights reserved.
• Fortune 500 hotel chain
• A department of transportation in a U.S. state
• High tech manufacturer
• Fortune 500 engineering firm
• University in Taiwan
• University in Japan
• State university in the U.S.
• County government of a U.S. state
• Prize indemnity insurance company
• Microsoft Windows enterprise management application developer
• Boutique IT service provider
• Charter school
• Educational service provider
• Law firm
• U.S. university-affiliated company
• Web design and SEO consultant
• Physician’s office (x2)
• Unified Communications as a Service (UCaaS) provider
• Business-to-Consumer (B2C) applications developer
• Public convention center in a U.S. city
• Wireless test and measurement solutions provider
• IT Value Added Reseller (VAR) and services provider
• IT solutions provider/contractor for federal and local government organizations
• Furniture company
• Computer store
• Cloud service provider
• More to come….
Orgs with Terracotta- enlisted servers
15 © Copyright 2015 EMC Corporation. All rights reserved.
A month in the life of a Terracotta VPN node
Unique successfully authenticated connections 118,948
Unique client IP addresses 9,053
Client IP Addresses in mainland PRC 8,903 (98%)
Client IP addresses not in mainland PRC 150 (2%)
Unique client account names 723 (most connections used trial accounts)
Unique client host names 3,640
16 © Copyright 2015 EMC Corporation. All rights reserved.
• VPN logs show special Terracotta-universal accounts—Terracotta client unneeded
• Wang Jia “testwj” account was one, always the first one and used exclusively to test victim server configuration immediately following successful compromise
• Some other VIP accounts like “dgweikunping” revealed their original locations by occasionally connecting with same computer name from home base, but usually via “VPN chain”
Terracotta VIPs Hook a bruddah up
17 © Copyright 2015 EMC Corporation. All rights reserved.
Terracotta VIPs VPN Chaining
Actor
VPN node 1
VPN node 2
target
USA
18 © Copyright 2015 EMC Corporation. All rights reserved.
Terracotta VIP accounts Hook a bruddah up
Charliewcs Shenzen
Dgweikunping Dongguan
Wang Jia (testwj) Dongguan
TXshy Shanghai
qqq.com Wuhan
19 © Copyright 2015 EMC Corporation. All rights reserved.
Terracotta node enlistment process
Victims all had Internet-exposed Windows servers TCP port 135 and/or 3389 open Terracotta may target vulnerable Windows servers because this platform includes VPN services that can be configured in a matter of minutes
Base host – WEI-270FBC26C38
3. RDP login
4. Install RAT(s) after disabling antivirus
5. Create new Windows account
6. Install Windows VPN services
1. “Administrator” brute force password attack
2. Disable Windows firewall
“testwj” account authentication
Reconnaissance host
US organization Windows server [victim]
1.8800free.info points to
PRC Radius Server(1)
2.8800free.info points to
PRC Radius Server(2)
Wang Jia (testwj) Dongguan
20 © Copyright 2015 EMC Corporation. All rights reserved.
How Terracotta VPN Works
Internet
Username ••••••
Terracotta User
User browses to Terracotta VPN
website
User downloads Client SW, Establishes
account
User logs into client Software /
Authenticates
Client Software updates list of
Nodes
User selects VPN node, retrieves
encoded credentials from cloud, initiates
connection
VPN Node authenticates
User
Auth.xxxxx.com Alibaba Cloud
1.8800free.info points to
PRC Radius Server(1)
2.8800free.info points to PRC Radius Server(2)
(IAS)
Terracotta VPN Node
User can connect to public internet
destination through Terracotta network
Tunnel is established,
Auth.xxxxx.com Alibaba Cloud
3.8800free.info points to PRC Radius Server(3)
(04-Aug-15)
two.x33.info
one.x33.info
21 © Copyright 2015 EMC Corporation. All rights reserved.
China cracks down on VPN’s in ‘15 But not you, Terracotta…you’re good
22 © Copyright 2015 EMC Corporation. All rights reserved.
• Corporate enterprise VPNs not blocked
• OpenVPN protocol is blocked
• Windows built-in VPN protocols not generally blocked – PPTP: Point to Point Tunneling Protocol – L2TP: Layer 2 Tunneling Protocol – SSTP: Secure Socket Tunneling Protocol
Are all VPN’s blocked in China? All VPN’s are not created equal
23 © Copyright 2015 EMC Corporation. All rights reserved.
News flash By default, all Windows VPN protocols use MS-CHAPv2 for authentication
24 © Copyright 2015 EMC Corporation. All rights reserved.
But it gets worse Potential eavesdroppers don’t need to crack anything for Terracotta
1.8800free.info
2.8800free.info
Terracotta VPN Node
3.8800free.info
U: 20xxx_14369884_37830673_xxxvpn
P: xxxjsqcom
RSA Research has confirmed that Terracotta nodes send user account credentials to China in the clear
25 © Copyright 2015 EMC Corporation. All rights reserved.
RADIUS creds in the clear We don’t need no stinking Chaprack to decrypt VPN traffic
26 © Copyright 2015 EMC Corporation. All rights reserved.
27 © Copyright 2015 EMC Corporation. All rights reserved.
• Iron pots – don’t crack – water tight
Why the name “Terracotta VPN”
• Terracotta pots – Easily cracked – Porous
28 © Copyright 2015 EMC Corporation. All rights reserved.
Questions? Also, RTFP: https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity Send me an email
“Lots of Pots” CC by Jonathan Billinger
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.