Around RSA

An Update on Terracotta VPN

Apr 01, 2016 | by Peter Beardmore |

Yesterday at Black Hat Asia in Singapore, RSA Researcher Kent Backman presented an update on Terracotta, our name for a VPN service marketed in China that we originally reported on in August of 2015. Great Firewall traversal, a primary use case for Terracotta, is commonly marketed to Chinese users.

Terracotta was notable because many of its nodes were servers that had been hacked, presumably by the network's operators and unbeknownst to the devices' actual owners. Among the minority of nodes that were legitimately leased from ISP's (particularly in the U.S.), many were multi-honed - meaning that several of the listed nodes that users could connect to were actually all the same server.

RSA also reported that threat actor groups such as Shell_Crew / Deep Panda were using Terracotta to anonymize and obfuscate cyber attacks. The technique may have improved their effectiveness because often organizations block IP addresses of foreign-affiliated VPN nodes. In the case of Terracotta, however, the hacked nodes had IP addresses affiliated with legitimate organizations.

Yesterday Mr. Backman revealed that in the months following our report, a developer of software used by Terracotta contacted RSA via email, apologized for the illegal uses of their product, encouraged us to continue to monitor them, and thanked us for our efforts. They also requested our 'private annex' of hacked IP addresses, intending to blacklist them. RSA provided the list as requested.

While we can't measure the results of that interaction, Mr. Backman reported yesterday that Terracotta's footprint has contracted considerably. Most notably the total quantity of nodes has shrunk from 1950 to approximately 1100. And among the nodes outside China, none appear to have been hacked. Rather, they appear to be legitimately leased, though their use of multi-honing has expanded from the U.S. to nearly their entire network.

Mr. Backman stressed that, while the news is positive, he continues to occasionally observe newly enlisted nodes that appear to have been hacked. His explanation, "Hackers gonna hack." He also noted that Terracotta-affiliated IP addresses were included in the C2 of an APT attack reported by another organization in Q4 of 2015. This indicates that despite the directional improvement of the Terracotta network during the past six months, APT actors continue to utilize the network in their operations.

RSA recommends that organizations continue to account for Terracotta in their security operations by doing the following:

For defending against Terracotta enlistment

  • Enable firewalls on Windows servers exposed to the Internet
  • Use strong authentication
  • Rename "administrator" accounts
  • Block all unnecessary ports, particularly TCP 135 & TCP 445

For defending against APT's using Terracotta

  • Alert on activity originating from Terracotta nodes in your enterprise
  • Monitor your network (including VPN's & Web servers) for Terracotta IP's
  • Alert on or filter email with message headers from Terracotta

RSA will provide a private annex to this update (a list of the latest Terracotta nodes) to trusted industry partners, vetted organizations, and security practitioners upon request. Please email for more information.