Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150904-271-RSA-Terracotta VPN
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 04 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report is a fairly comprehensive report on the large commercially available
Chinese-based VPN service known within RSA as “Terracotta.” The report focuses on the VPN
network nodes and infrastructure but provides very little in the way of technical details on how
some of its nodes are co-opted via malicious malware means.
(S//NF) Terracotta VPN is the name used by RSA Research to describe the dynamically-
maintained conglomerate of multiple VPN brand names marketed on Chinese-language websites.
Some of the nodes that make up the Terracotta VPN network were obtained legitimately, but
many of the nodes in the network have been co-opted without the permission of their owners via
classic malicious malware-type attacks.
(S//NF) RSA states in the report that all the co-opted nodes examined are Windows servers and
speculates the reason for this is vulnerable Windows servers support VPN operations and are
quickly and easily configured to support VPN operations. RSA provides a high-level overview of
the steps taken to co-opt vulnerable Windows Servers:
Brute force password attack against the Administrator account via WMI through TCP port
135.
Remote connection to the Administrator account using the credentials harvested in step one.
Disable the firewall and install Telnet.
Log-in via RDP. Uninstall Windows Defender. Download and install a custom version of
Gh0st RAT and/or a custom version of Mitozhan RAT. Install a Windows backdoor shell
service listening on port 3422.
Create a new Windows account in the Administrator’s Group.
A few days later login via RDP and install Network Policy and Access Services and Routing
and Remote Access Services with custom remote access policy pointing the Terracotta
Internet Authentication Services (IAS) servers.
Test the Terracotta VPN centralized IAS authentication and add node to network listing.
(S//NF) The preceding description of how vulnerable Windows servers are co-opted into the
Terracotta network is the extent of technical discussion provided by this report.
(S//NF) RSA has observed nation-state sponsored bad actors and other hacker groups using the
Terracotta VPN network operationally. For example, RSA observed the SHELL_CREW (subject
of a previous Pique Report) using the Terracotta VPN network to attack a victim.
(S//NF) The report closes with a detailed explanation on how to detect the Terracotta VPN
network operating without permission on your network.
(S//NF) Because of lack of technical detail on how the victim Windows servers are compromised
there are no PoCs recommended from this report.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh