... Game cheaters and hackers have been using something like this for quite a while now. Another related problem is it's way too easy to rent servers anywhere in the world, use them for whatever and then wipe them and move on. A lot of smaller datacenters accept customer server hardware as well.
Or as S.Holmes so fondly puts it, "The game's afoot!"
—John
<><><>
Nefarious state actors from China using a commercial VPN as an anonymizer.
https://blogs.rsa.com/resource/rsa-research-terracotta-vpn-report/
In this report, RSA Research explores in depth a malware-supported VPN network, known internally to RSA as Terracotta. Terracotta is an active launch-platform for APT activities of Shell_Crew / DeepPanda and other APT actors, used to obscure the origins of the threat actors' malicious activities. It is ensnaring a new class of victims (legitimate commercial and government entities, unknowingly serving VPN nodes and bandwith) into larger-scale APT cases. Fortunately, enlistment in the Terracotta network is readily preventable by using well-established cybersecurity practices. Detection and mitigation for enlisted systems is also quite feasible.
Terracotta is commercially marketed in the People's Republic of China (PRC) under several different brand names. VPN services are quite marketable in China as a means to anonymously traverse government internet censorship. Terracotta's malicious methods for acquiring nodes and theft of bandwidth likely derives substantial cost-savings for its operators.
Having provided Terracotta VPN indicators to trusted partners, RSA has received multiple reports of (and since observed) suspected nation-state sponsored campaign activity originating from Terracotta VPN IP addresses. Targets appear to have included Western governments and several commercial entities. By using Terracotta VPN, advanced threat actors appear to originate from seemingly benign sources. Blocking, restricting, or detecting by IP address indicators is difficult because new nodes (hosted in legitimate organizations) are being continuously added.
This report by RSA Research may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world. It is the first time RSA Research has seen Shell_Crew / DeepPanda and other similar APT actors using such networks for anonymization and obfuscation.