GeoGuard and WhoisXML API Partnership: The Dark Side of VPN Use Explored

Virtual private networks (VPNs) were originally designed to let users access their home or work networks remotely. Nowadays, VPNs are also commonly used to hide users’ identities and protect their privacy.

But not all VPN users are privacy protection advocates—some of them may actually have nefarious purposes in mind. A collaborative study between GeoGuard and WhoisXML API entitled “Not All VPN Users Are Worth Trusting, a Lesson for Cloud Service Providers” looked at possible VPN drawbacks more closely.

The research aimed to detect malicious IP addresses in IP blocks associated with VPN usage. The findings could serve as a warning to both cloud users and service providers.

The Data: Thousands of IP Ranges Involved

A total of 1,540 IP ranges were run against different blacklists to determine if they contained malicious IP addresses. These IP ranges are known to connect to VPN data centers. The blacklists are:

• Passive Spam Blocklist (PSBL): Containing 15,974 malicious IP addresses as of 12 August 2020.
• Feodo Tracker Botnet C2 IP Blocklists (Recommended): Listing 166 IP addresses that resolve to Dridex/Heodo/Emotet/TrickBot botnet command-and-control (C&C) servers as of 12 August 2020.
• Feodo Tracker Botnet C2 IP Blocklists (Aggressive): Containing 9,362 IP addresses that are blacklisted on Abuse.ch. The list was last updated on 13 August 2020.

Finally, a private server similar to what small businesses use was also observed for five days with the purpose of detecting malicious activity.

Research Findings: Not All VPN Users Are Trustworthy

From the 1,540 VPN-connected IP ranges provided by GeoGuard, 89 IP addresses were tagged “malicious” by at least one of the blacklist sites listed above. WhoisXML API’s IP intelligence revealed that the majority of these malicious IP addresses are administered by cloud service providers, including:

• DigitalOcean (29 IP addresses)
• Linode (18 IP addresses)
• M247 (8 IP addresses)

The private server used for the study, meanwhile, recorded 904 Secure Shell (SSH) login attempts – and 14 of those attempts were from 89 VPN-connected malicious IP addresses. DigitalOcean administered 12 of the IP addresses responsible for the SSH login attempts at the time of writing.

Lastly, the 14 IP addresses that figured in SSH login attempts were not found in PSBL or any of the Feodo Tracker blocklists. However, all of them were reported for malicious activities on AbuseIPDB and VirusTotal.

Detecting VPN and proxy servers is GeoGuard’s specialty, whereas WhoisXML API’s sources of intelligence enable enterprises and security teams to glean more insights and establish deeper context.

In this study, their collaboration allowed researchers to determine associations between malicious VPN-connected IP addresses and cloud service providers. Cloud service providers are encouraged to investigate how their clients are using their servers and virtual machines (VMs).