Malicious Use of SSL Increases as Attackers Deploy Hidden Attacks

There has been a 260% increase in the use of encrypted traffic to “hide” attacks.

New research by Zscaler, analyzing 6.6 billion security threats, has discovered a 260% increase in attacks during the first nine months of 2020. Among the encrypted attacks was an increase of the amount of ransomware by 500%, with the most prominent variants being FileCrypt/FileCoder, followed by Sodinokibi, Maze and Ryuk.

Zscaler claimed that adversaries have leveraged SSL to hide attacks, “turning the use of encryption into a potential threat without proper inspection.” This means cyber-criminals are using industry-standard encryption methods to hide malware inside encrypted traffic to carry out attacks that bypass detection.

Deepen Desai, CISO and vice-president of security research at Zscaler, said: “We are seeing encrypted channels being leveraged by cyber-criminals across the full attack cycle, starting with initial delivery stage (email with links, compromised sites, malicious sites using SSL/TLS), to payload delivery (payloads hosted on cloud storage services like Dropbox, Google Drive, AWS, etc).”

Tim Mackey, principal security strategist at the Synopsys CyRC, told Infosecurity that using SSL or TLS as part of an attack is an acknowledgement that in 2020, legitimate websites and system traffic will be encrypted.

“Hiding malicious traffic amongst legitimate activity has the distinct benefit of allowing an attacker to progress through the early phases of their attack with a lower risk of detection,” he said. “Further, if the attacker’s toolkit leverages existing system services, such as the encryption modules supplied by the operating system, and popular cloud storage systems, such as Pastebin, GitHub or S3 buckets, then it becomes that much harder to differentiate legitimate access from the malicious.

Also, Matthew Pahl, security researcher at DomainTools, said there are instances where attackers use SSL encryption – over port 443, for example – to exfiltrate data from targets, so the threat outlined in the report is real.

He added: “Organizations should emplace inspection certs on all endpoints in order to carry out SSL inspection. It is also worth remembering, however, that this is not a magic bullet, as the ability to decrypt and read outbound traffic represents just one component of a defense-in-depth strategy.”

Zscaler claimed inspecting encrypted traffic must be a key component of every organization’s security defenses, but the problem is traditional on-premises security tools like next-generation firewalls struggle to provide the performance and capacity needed to decrypt, inspect and re-encrypt traffic in an effective manner. Also attempting to inspect all SSL traffic would bring performance (and productivity) to a grinding halt, so many organizations allow at least some of their encrypted traffic to pass uninspected from trusted cloud service providers.

“This is a critical shortcoming,” the report said. “Failing to inspect all encrypted traffic leaves organizations vulnerable to hidden phishing attacks, malware and more, all of which could be disastrous.”

If inspecting encrypted traffic must be a key component of every organization’s security defenses, are businesses actually able to do this? Mackey said: “Any plan to implement deep inspection of TLS traffic should be reviewed with legal counsel and the business data privacy leaders. As an intermediate step, businesses who operate internal DNS systems can implement network policies that segment their network based on usage profiles. Within each segment, access to cloud-based storage systems can be limited at the DNS layer to only those machines with legitimate business requirements to access them.”

Martin Jartelius, CSO at Outpost24, said: “This is largely an attempt at positioning solutions for ‘legal interception’ towards the market. In part, this of course invades privacy to a great degree, but it also only works if the traffic being sent does not use certificate pinning, or if the traffic being sent in turn does not tunnel encrypted data within the tunnel.

“Detection is great, and if it can be done on the network, that adds a layer and opportunity, but what you need is prevention from initial infection, detection of anomalous user behavior. The ‘legal interception’ solutions in and of themselves are a challenge, for example towards GDPR compliance.”

What’s Hot on Infosecurity Magazine?