Terracotta VPN helps spread malware
Terracotta Army, View of Pit 1 (c) 2015 Jmhullot

Terracotta is a Virtual Private Network (VPN) built on hacked enterprise Windows servers. Its activities have led security company RSA to issue a warning that it is providing a platform for malware and APT actors to hide their attacks from security teams.

VPN’s are used regularly by companies, individuals and regular travellers to protect their communications and hide their locations. Companies that provide VPN services invest heavily in providing nodes in different countries for users to connect to.

Terracotta is different. With more than 1500 nodes it is one of the biggest VPN providers in the world. According to RSA most of those nodes have not been purchased or provided legally. Instead Terracotta relies on a global network of compromised Windows servers hidden inside legitimate organisations.

In its blog on Terracotta RSA says that most companies will block VPN access from commercial providers as part of their cybersecurity policies. By using compromised Windows servers Terracotta is able to avoid being blocked as its addresses seem legitimate to security teams.

Terracotta helps mask the activities of APT groups

Despite its activities in hacking vulnerable servers in order to deploy its VPN Nodes, RSA makes the point that Terracotta is not known to be owned by any APT actor. What makes Terracotta especially dangerous is that it is marketed across China under a number of different names to enable people to get around the Chinese government block on Internet access. This means that it has thousands of legitimate users and their activity helps APT actors hide in plain sight.

In a detailed report titled Terracotta VPN, Enabler of Advanced Threat Anonymity, RSA reports that all of the compromised Windows servers should have been easily protected. The problem is that it appears the affected companies whose servers RSA has identified as being compromised failed to carry out even the most basic security such as deleting the default Administrator account.

The report details 23 organisations representing 31 different Windows servers that were compromised by those running Terracotta. They range from a Fortune 500 hotel chain to a Charter School. They also include an IT Value Added Reseller (VAR), a Unified Communications as a Service (UCaaS) provider and a Windows enterprise management application developer. While the companies themselves were not named the spread of businesses that they operate shows how widespread the problem of compromised servers is.

To aid IT security teams detect compromised servers RSA has detailed how Terracotta enlists servers into its network. It has also provided a set of instructions as to how to prevent servers being recruited by Terracotta.


Terracotta is more than just a security threat by making it easy for APT actors to hide inside other traffic. It has exposed yet another cybersecurity weakness inside enterprises where the basics of cybersecurity fail to make it from education into practice.


Please enter your comment!
Please enter your name here