Lumu provides organizations with detailed visibility into the use of VPNs and other identity-obfuscation or anonymization tools within their networks. This helps distinguish between legitimate use of these services and instances where they may indicate a potential compromise.

Using commercial VPNs in corporate environments can entail a hoist of security risks including, but not limited to:

• Bypassing security controls: Commercial VPNs can obscure the browsing activity, network connections, and device behavior within your organization’s network, potentially bypassing security measures implemented by your cybersecurity team. This may allow access to blocked or unsafe sites, increasing the risk of accidental exposure. Even more concerning, malicious actors could exploit these tools to exfiltrate sensitive data without detection.
• Shadow IT and lacking visibility: Shadow IT, or the use of unapproved software, hardware or cloud services within your organization, poses a latent cybersecurity risk as your organization has no control or visibility over unsanctioned assets. This also introduces potential compliance risks and vulnerabilities.
• Untrusted infrastructure: The infrastructure of commercial VPNs is managed by third parties, which means that even well-known providers cannot be fully trusted. Connections are routed through their servers, placing all transferred data under their control. Many commercial VPNs are known to access and leverage user data for commercial purposes, posing a significant risk to corporate information.
• Compliance risks: Organizations must adhere to strict data management and compliance policies that require robust security controls, visibility, and proper handling of sensitive data. Transferring data through unauthorized infrastructure violates these policies and could lead to decertification during an audit. Such a breach could result in significant reputational damage and financial loss—risks that can be entirely avoided by using approved and properly secured tools.

How to differentiate between legitimate and illegitimate use of a VPN or anonymization tool

When the use of a VPN within your network is detected, you can start discerning the legitimacy of its use by asking yourself and those within your team the following questions:

• Do your organization's cybersecurity policies allow the use of commercial VPN services?
  • If yes, continue to the next question. If not, this is very likely a cybersecurity incident.
• Is the detected VPN, e.g.: TunnelBear, within the list of approved tools?
  • If yes, you may choose to mute this activity.
• If not, this could indicate unauthorized or risky behavior (e.g., anonymized browsing, data exfiltration attempts).

Which types of VPN/anonymization tools can Lumu detect

Lumu is capable of detecting some of the most widespread identity-obfuscation and anonymization methods, such as the use of the TOR (The Onion Router) Network to obscure the routing of internet connections through the deep web, as well as a wide range of VPN providers, including but not limited to the following list:

• AirVPN
• AnonVPN
• Anonine VPN
• BlackVPN
• BTguardVPN
• BulletVPN
• CeloVPN
• Cryptostorm VPN
• CyberGhostVPN
• ExpressVPN
• FastestVPN
• FreeVPN
• FrootVPN
• GhostPath VPN
• Giganews VPN
• GooseVPN
• Hide My A** VPN
• Hide.me VPN
• HideIPVPN
• Hotspot Shield VPN
• IntegrityVPN
• IPVanish
• Ivacy VPN
• IVPN
• LimeVPN
• LiquidVPN
• MullvadVPN
• NordVPN
• OVPN
• Perfect Privacy
• Privado
• Private Internet Access
• PrivateVPN
• ProXPN
• ProtonVPN
• PureVPN
• RA4WVPN
• SaferVPN
• SlickVPN
• SmartDNSProxy VPN
• Surfshark VPN
• tigerVPN
• TorGuard VPN
• TotalVPN
• Trust.Zone VPN
• TunnelBear VPN
• VanishedVPN
• VPNArea
• VPN.ac
• VPN Unlimited
• VPNBook
• VPNFacile
• VPNSecure
• VPNTunnel
• VPN.ht
• VyprVPN
• WiTopia VPN
• Windscribe VPN
• ZoogVPN

Recommended actions

If you need assistance operating this type of incident, refer to our Anonymizer Incident Response Playbook where we provide detailed guidance on investigation and mitigation procedures in this kind of scenario.

To better understand how malicious actors use commercial VPNs and TOR anonymization to carry out attacks, consult our blog entry on How Cybercriminals Hide Attacks and Identities.