Stolen data being tunnelled through EU and US

Criminals are directing stolen data through legitimate companies that provide anonymity services, according to security training organisation Sans Institute.

Cybercriminals have shifted away from channelling stolen EU and US data outside those countries' jurisdictions, Sans researcher Maarten Van Horenbeeck wrote in a blog post on Monday. Instead, crooks are using anonymity services companies to receive unencrypted data from compromised machines and then using those companies' VPN services to redirect that data to criminal-controlled servers, wrote the researcher.

"In the past, stolen data was usually moved from the compromised network onto networks under different legal jurisdiction, often in East Asia," wrote Van Horenbeeck. "As of May of this year, however, we noticed these gradually swapping out for networks within the EU and the US."

Organisations such as SecureIX, which provides point-to-point tunnelling-protocol VPN services, are unwittingly involved in the transfer of stolen data, according to Van Horenbeeck.

"Hosts compromised by the attackers were configured to ship data to a specific port on a SecureIX IP," wrote Van Horenbeeck. "It's important to understand that organisations such as SecureIX are not rogue service providers. As is the case with dynamic DNS services, their services can however be abused by various criminal elements."

Van Horenbeeck wrote that Sans had seen a number of attacks where connections were made from compromised corporate networks to SecureIX IP ranges and also to IP ranges for Relakks, a Swedish VPN provider.

The researcher listed the IP addresses in his blog post, but warned they were not a blocklist. However, Van Horenbeeck advised that hosts on corporate networks should not be connecting to those IP ranges.

"These services have very legitimate purposes, and many people use them for exactly what they are intended for: to browse the internet anonymously," wrote Van Horenbeeck. "While it's completely benign for a client to use one of these services to connect to your corporate web service, a host on your network should probably not be initiating connections to the [IP addresses]."

In an email interview with ZDNet.co.uk, Van Horenbeeck wrote that these incidents were not yet widespread, but that there was a "slow but steady increase" in the number of hosts affected. The researcher declined to name the companies from which data had been stolen, but said the issue had been first drawn to Sans's attention through studying Trojans sent to a New York-based non-governmental organisations, as well as other organisations.

Sans investigated a set of targeted Trojans that were sent to members of the organisation. They contained code that sent data to a host name registered through a Chinese dynamic DNS provider. These hostnames initially resolved to hosts in East Asia, but then afterwards to machines on the SecureIX and Relakks address space, wrote Van Horenbeeck.

"We were able to confirm that the IP addresses to which this resolved at both providers actually responded and sent commands back to an infected workstation," Van Horenbeeck added.

SecureIX and Relakks had not responded to a request for comment at the time of writing.