Multiple VPN Logins From Different Countries means that the same user account is trying to log in from multiple geographical locations through VPN endpoints within a short timeframe. While VPNs are commonly used to hide a user's actual location or to access services securely, such behaviour often indicates suspicious activity, particularly when the logins span different countries.
As a SOC analyst, Sarah starts her day with tea and biscuits and refreshes her dashboard every minute; she gets new alerts. Among the usual login attempts, a peculiar pattern grabs her attention.
“Multiple VPN logins from different countries or different IPs, all tied to the same user account?” Sarah cries to see multiple alerts; after checking, She knows this isn’t normal.
The Investigation:
The rule flags a scenario where a single user account is seen logging in from different IPs through VPN endpoints from geographically distant countries, often within a short span of time. For example:
- At
10:05 AM, the user logs in from a VPN server in Germany.
- At
10:15 AM, another login appears from a VPN server in Singapore.
- Moments
later, the same account accesses a VPN endpoint in Canada.
While VPNs can mask a user’s physical location,
this kind of behaviour suggests one of two possibilities:
- The user
is hopping between VPN servers at lightning speed (unlikely in most
legitimate cases).
- The account credentials have been compromised and are being used by attackers from multiple locations.
"Detections can also occur within the same country.
Even in such cases, they should be considered suspicious. The two IPs you
observed are from Jio and Airtel, which might indicate that the user switched
networks from Jio to Airtel. However, this activity should be
considered as suspicious behaviour as same user connecting
to vpn from two different IP's
The Possible Culprits
- Credential
Theft: Attackers often exploit stolen credentials to access
organizational resources.
- Malicious
Activity: Such logins could be used to exfiltrate data,
install malware, or execute attacks.
- Evasion Tactics: Attackers might use multiple VPN logins to bypass geo-based restrictions and confuse monitoring systems.
The Attack:
An attacker gains access to an employee’s VPN
credentials.
One attacker logs in through a VPN endpoint in Russia, while
another attacker, using the same credentials, logs in from Brazil.
Within moments, the account shows activity from a third endpoint in Hong Kong.
Response:
- Sarah
followed the incident response protocol and promptly notified all relevant
infrastructure teams, including the Firewall Team, AD Team, and
Service Desk Team.
- After
obtaining the required approvals, the AD Team and Service Desk
Team immediately disabled the compromised account and reset
the user's password. Meanwhile, the Firewall Team blocked
all associated IPs.
- After
resetting the credentials and notifying the user, Sarah received an update
that the logins were not recognized by the user.
- She
conducted a deeper investigation and discovered evidence of credential
theft through a phishing email.
- By
reviewing the logs of the sender's address and the email
subject line over the past seven days, she found that the phishing
email had been sent only to the victim.
- Since
only this user was affected, mitigations were applied, including resetting
the password and unlocking the account.
- If
the attacker successfully logged in using the stolen credentials, Sarah
reviewed the user's activities to identify any unauthorized
changes and implemented rollbacks where necessary.
- To prevent similar incidents in the future, she recommended strengthening policies and enhancing security measures.
Rule Logic Reference
IF (Log Source = "VPN Logs")
And (Event Name = "Login Successful")
And (Count of Logins by Same User >= 2)
And (Timeframe <= 15 minutes)
And NOT (UserID IN Exclusion List) THEN Trigger an Alert -> ( create a reference set and exclude)
And when at least two events are seen with the same username, event name, and different source geographic country /region in 2 hours
Tune accordingly to your customer.
The Moral:
Vigilence is a key , By setting up rules like Multiple
VPN Logins From Different Countries, can detect compromise early and take
action.
