This study combines the sources of intelligence of VPN and proxy detection service provider GeoGuard and domain, IP, and cyber threat data provider WhoisXML API.

Virtual private networks (VPNs) are widespread; about a third of the Internet population uses them worldwide. Their primary reason? VPN usage touts more secure browsing. However, privacy protection and security-related reasons are mixed with not necessarily legal purposes such as accessing territorially restricted content or hiding browsing activity from the government.

So while corporate-sanctioned VPN use is desired, consumer VPN use can be an entirely different matter. Yet personal VPN service usage remains out of enterprises’ control. It can also be problematic for companies that rely on IP geolocation-based protection as VPN users can mask their real IP addresses. Is it possible that VPN use puts both personal and corporate data at risk?

The sad truth is: not all VPN users can be trusted. We sought to put this statement to the test in this short study by analyzing IP blocks strongly associated with VPN usage.

Methodology

The study began with a list of 1,540 IP ranges connected to known VPN data centers and service providers. We ran all the IP addresses against various blacklists—the Passive Spam Blocklist (PSBL) and the Feodo Tracker Botnet C2 IP Blocklists (Recommended and Aggressive)—to identify specific IP addresses that have proven malicious.

We retrieved the PSBL database, which companies use as a threat intelligence source for production-grade email spam filters, on 12 August 2020. It contained a total of 15,974 malicious IP addresses. The Feodo Tracker Botnet C2 IP Recommended Blocklist, which was last updated on 12 August 2020 at 12:26:17 UTC, meanwhile, contains 166 IP addresses that organizations are advised to block as they resolve to Dridex/Heodo/Emotet/TrickBot botnet command-and-control (C&C) servers. Finally, the Feodo Tracker Botnet C2 IP Aggressive Blocklist, last updated on 13 August 2020 at 18:24:27 UTC, contains all of the 9,362 IP addresses that Abuse.ch has blacklisted.

We also looked into the logs of a small private server, which we closely monitored for malicious activity from 9-13 August 2020. It used a dynamic IP address that we obtained from a home Internet service provider (ISP) and a free domain from a dynamic Domain Name System (DNS) service provider. It provides a web service and a Secure Shell (SSH) service on a nonstandard port for interactive access. The setup would be similar to that of a small and medium-sized business (SMB). After five days of tracking, we ended up with an access log indicating 904 IP addresses from which apparently malicious and unwanted SSH login attempts were made.

Results and Findings

VPN-Connected Malicious IP Addresses

Breakdown by Blacklist

A total of 89 IP addresses from the 1,540 VPN data center IP ranges we analyzed showed up on at least one of the three blocklists we consulted.

The data shows that not all VPN-connected IP addresses are harmless. At least 89 of them have, in fact, been cited for malicious activity and are blacklisted.

Breakdown by Provider

WhoisXML API’s IP Netblocks API helped determine the owner of the IP blocks. With the tool, we were able to identify each IP range’s country, organization name and contact details, and Autonomous System (AS) name and details.

A majority of the 89 malicious IP addresses (29 to be exact) were owned by DigitalOcean, a U.S.-based cloud infrastructure provider for developers who wish to deploy and scale applications that run simultaneously on multiple computers. Linode, a U.S.-based privately-owned cloud hosting company that provides virtual private servers, came in second place as it controlled 18 malicious IP addresses. M247, a Romania-based cloud service provider, and Hosting Services, a U.S.-based hosting and cloud service provider, tied in the third spot, accounting for eight malicious addresses each.

Among the 89 IP addresses cited for malicious activity, only one (45[.]56[.]153[.]129, mentioned on PSBL) originated from a vendor that did not seem to offer any kind of cloud service. That vendor was Hong Kong-based VPN Consumer Network, which primarily provides VPN services.

Volume of VPN-Connected SSH Login Attempts

Of the 904 SSH login attempts recorded on our server log, 14 were from VPN-connected malicious IP addresses.

While the number is admittedly small, it remains a cause of concern, especially for companies who may be sharing a cloud server with a malicious user.

IP Address Breakdown by Provider

Of the 14 IP addresses responsible for SSH login attempts, a majority (12 to be exact) were owned by DigitalOcean. Only one IP address each belonged to UK Dedicated Servers (based in the U.K.; 94[.]229[.]66[.]131) and ESTNOC-GLOBAL (based in Estonia; 185[.]195[.]237[.]31), both of which are European cloud service providers.

None of the IP addresses recorded for SSH login attempts appeared in our three blocklists. That is, however, not an assurance of their non-malicious nature even though they kept on trying to log in to a server with nonexistent usernames, apparently running some exploit kit.

We wanted to make sure, and so we ran each IP address that tried to log in to our server via SSH on WhoisXML API’s Threat Intelligence Platform as well as further checked their status on AbuseIPDB and VirusTotal and found that all 14 were dubbed malicious:

Conclusions and Recommendations

Summing up the findings, we know that several VPN-connected IP addresses are a cause for concern. In fact, all 14 of the VPN-connected IP addresses in our dataset were deemed malicious by at least three of the data sources we used for analysis. These malicious IP addresses may have been used for a wide variety of attacks spanning spamming to botnet activity and brute-force attacks.

Users may need to be especially wary of IP addresses issued by DigitalOcean, as it owns a majority of the suspicious or even malicious IP addresses. The vendor may not have strict policies in place for its VPN service offering. Users can, in fact, access a tutorial at https[:]//anonymster.com/setup-openvpn-server-digitalocean/ to set up their own OpenVPN on a virtual machine (VM) that they can also purchase on the site for as little as US$5. Registering for the service doesn’t even require users to dole out too many personal details, or go through a stringent verification process.

If a threat actor sets up an OpenVPN server and connects to it from a local device to avoid storing malicious code on the vendor’s virtual hosts, they could get away with crime. All they need to ensure is that the OpenVPN server is not logging anything. Or, at the first sign of detection, they can abandon the server and disappear.

As this paper shows, cloud service providers may find it beneficial to implement preventive measures and carefully scrutinize subscribers to prevent their infrastructure from being used and abused in attacks. They need to dig deeper into how clients are using their VMs and servers, as we have seen Amazon Web Services (AWS) servers abused by criminals to bypass over-the-top (OTT) media service providers’ terms of service.

VM abuse is tantamount to fraud that threatens the viability of not just media and e-commerce companies but also a much wider range of industries. Organizations across all kinds of sectors can benefit from GeoGuard’s leading VPN/DNS Proxy detection solutions for the identification of VPN-connected IPs that may spell trouble. Enriching suspicious IPs with WhoisXML API’s domain and IP intelligence sources can help reveal the identity of the cloud and other Internet service providers in charge, and hence help catch abuse and facilitate the takedown of misused and dangerous properties.