At least two Canadian organizations are among dozens around the world that have unwittingly been hosting infrastructure of a China-based commercial virtual private network provider used in part by threat actors, according to a security vendor.
Separately, Trustwave has identified at least 3,913 Canadian machines infected with the latest version of the RIG exploit kit, which uses malvertising to spread attacks.
The news came out this week at the annual Black Hat IT security conference in Las Vegas, where a number of vendors are announcing new malware discoveries and products.
–Publicly in China it is a commercial service offered on a number of Web sites so people can disguise their IP addresses to get around the country’s government-run Great Firewall. The firewall is an attempt to limit the ability of Chinese people to access Web sites outside China the government doesn’t like.
Subscribers can buy the VPN service to get to Western Web sites, or to buy goods like smart phones that aren’t available in China.
But “Terracotta” works by secretly hacking poorly-secured Windows servers around the world that host its software, including two here, in effect stealing their bandwidth as it anonymizes IP addresses.
In many cases these outward facing servers (such as Web, email, or a physical access control server exposed to the Internet) are compromised by brute force password attacks on administrator accounts. Once in they disable anti-virus and firewalls on the servers, then install malware including Windows VPN services, which are then pointed at the Terracotta authentication domain in China.
“No one is perfect — even some of the largest Fortune 500 companies have been victims,” Kent Backman, an RSA threat intelligence analyst, said in an interview.
The server of one of the Canadian companies being unknowingly used delivers Flash-based content, he said. He didn’t have information about the other victim.
–Researchers also discovered the VPN Service is being used by Shell_Crew / DeepPanda and other malware distributors to hide their activities.
Interestingly, RSA notes, the China has closed other VPN services, particularly ones that use open source VPN technology but — so far — not “Terracotta,” which uses Windows’ point to point tunneling (PTPT) protocol.
Backman refused to say whether this means the Chinese government approves of the “Terracotta” network.
“China blocks stuff that’s secure and doesn’t block things that tend to be insecure,” is all he observed. “PTPT does not appear to be blocked whatsoever by the Chinese government, which makes me believe that they’re not too concerned about it.”
Fortunately, RSA says in a report issued today, “Terracotta” operators aren’t using sophisticated methods to illegally harvest their VPN nodes from around the world and can be prevented with basic security. These three steps can block it:
–Block port 135 on external routers and firewalls. Hardware firewall should also be configured with “allow inbound by exception” policy;
–Rename the “Administrator” account on all Windows systems to a unique alphanumeric name;
–Use a strong (bi-case letters, numbers plus multiple special characters) 15 character+ password that does not use keyboard patterns.
In a separate announcement Trustwave warned the RIG exploit kit — hosted in Moscow –is now on version 3.0 after its code was been honed by its authors. Criminals are making an average of US$80,000 a day, the security vendor believes, from those using the kit.
Trustwave believes that since its release six weeks ago the kit — which leverages malicious ads to take advantage of Flash software and browsers that haven’t been updated — 3,913 devices infected in Canada.
The most exploited country is Brazil with over 450,000 victims, Vietnam with 302,000, the U.S. with 45,880, and the U.K. almost 9,700.
Overall systems using the kit have successfully infected 1.25 million out of 3.6 million machines attempted.
In an interview Arsney Levin, a lead Trustwave security researcher, called it “one of the top four or five” exploit kits sold.
It has an interesting history: RIG used to be sold by criminal resellers. However, following a dispute last winter one of them published the source code. Since then the authors overhauled the software and plugged some vulnerabilities that were revealed.
Levin said that to avoid being a victim CISOs should make sure all software is updated, particularly browsers and Adobe Flash.
In addition, access to Flash should be changed to click to play so the plug-in won’t play automatically. “This will help tremendously to avoid these kinds of attacks,” Levin said.