Stealthy VPN Services: From Consumer Play Toys To Enterprise Threats

How VPN services are being used and what security vendors must do to minimize the threats


Mobile employees on the go are very familiar with VPN clients. A VPN client establishes an encrypted communication channel between a mobile user in a hotel room, a coffee shop or a customer location and enterprise applications. It protects data in transit from prying eyes, especially when traversing unsecured networks like public Wi-Fi hotspots. VPNs often come integrated with enterprise firewalls and are a staple of virtually all enterprise security architectures.

VPN 'Anonymizers' are on the rise

VPN has gained a shadier reputation in recent years. Specific implementations of VPNs for consumers provides not only an encrypted communication channel but also an effective way to hide the source IP address of the end user.

Why is the IP address important?

IP addresses can be used as a key to GEO-IP location services that can pinpoint the exact location of the user. We see such services in action when Google, for example, presents a localized search page based on the location of the user.

This 'anonymization' capability has multiple implications. It could be a way to fight government censorship of content for its citizens (within a specific country). It can also protect the downloading of pirated copies of media such as music albums or movies. Another 'popular' use is bypassing the restrictions placed by content service providers, like Netflix or Pandora, on content consumption in markets where they don't officially serve or where their content license doesn't apply.

Encrypted communication channels could also form the basis for data exfiltration, especially as they work hard to evade detection.

The VPN 'Cat and Mouse' Game

We are witnessing a continuous battle between the 'VPN providers' and the 'monitoring tools'. As some organizations are trying to either detect VPN services or block VPN users, the VPN providers are becoming stealthier with their various evasion techniques.

During a traffic analysis conducted at Cato Networks research lab, we found two interesting tactics used by several VPN solutions:

1. Various VPNs use SSL encryption but analyzing their traffic shows they have different characteristics.

Figure 1, below, shows SSL traffic where the server name in the SNI header matches the server certificate’s subject. Figure-2 shows TOR browser traffic where there’s no match at all, and the subject and issuer names are meaningless.


Figure 1: Standard SSL, Server Name Match

Figure 2: Server Name Mismatch with TOR

Figure 3, below, is a disturbing example of SSL traffic we’ve seen in the wild. In this case, as the SSL server’s certificate is pretending to be Microsoft Windows Update certificate.

Figure 3: Fake Microsoft Windows Update

Examination of the certificate shows that it is self-signed and not signed by Microsoft at all. Apparently, the VPN provider created his own certificate with similar details to Microsoft and their Certificate Authority. That way, their SSL handshake traffic looks similar to MS Windows Update’s (See issuer-name:, common-name: Microsoft Update Secure Server CA 1).

2. QUIC Protocol

The QUIC protocol was designed at Google and implemented in Google Chrome in 2013. Figure 4, below, shows a VPN client using QUIC traffic for tunneling. Since it's massively used by the Google Chrome browser, this protocol gains more credibility as a legitimate application and the VPN providers are taking advantage of this opportunity.


Figure 4: QUIC protocol used by VPN Anonymizer to mask as 'Google traffic'

QUIC uses UDP over port 443, and because this protocol is mainly associated with Google Chrome, IT organizations may allow this type of traffic. However, this protocol can also be used by any other app, as well as malware trying to exfiltrate data. Hence, organizations should treat this traffic as they would 'TCP traffic' , and it should be fully inspected, as well.

Consumer VPN services are adopting evasive techniques against detection. It is very likely they will enable a new class of enterprise threats. Malware can use the VPN client as a node in a VPN network that provides anonymization capabilities or act as part of a botnet in a DDoS attack. Furthermore, malicious insiders can use these protocols to present a 'legitimate profile' while attempting to exfiltrate data. As this is an endless cat and mouse game, security vendors will have to adopt a more holistic approach to monitor WAN and Internet-bound traffic at multiple layers to detect malicious activities and reduce the risk of a data breach.


Written by: Elad Menahem is the Head of Security Research at Cato Networks, a revolutionized company with a mission to make networking and security simple again. Elad is a security expert with over 12 years of experience in cyber-security. Prior to Cato Networks, he was an enterprise security research manager at Trusteer, which was acquired by IBM. He has vast knowledge in network and end-point security research, focusing on research & development of breakthrough methods for Malware detection.

Strategy growth small

Read next:

Strategy Development And Implementation In A Rapidly Growing Region