As enterprises get better about encrypting network traffic to protect data from potential attacks or exposure, online attackers are also stepping up their Secure Sockets Layer/Transport Layer Security (SSL/TLS) game to hide their malicious activities. In the first half of 2017, an average of 60 percent of transactions observed by security company Zscaler have been over SSL/TLS, the company’s researchers said. The growth in SSL/TLS usage includes both legitimate and malicious activities, as criminals rely on valid SSL certificates to distribute their content. Researchers saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain.
“Crimeware families are increasingly using SSL/TLS,” said Deepen Desai, senior director of security research at Zscaler. Malicious content being delivered over SSL/TLS has more than doubled in the past six months, Zscaler said. The company blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. Of those blocked, an average of 600,000 per day were advanced threats. Zscaler researchers have seen 12,000 phishing attempts delivered over SSL/TLS per day in the first half of 2017, a 400 percent increase from 2016.
These figures tell only part of the SSL/TLS story, as Zscaler didn’t include other types of attacks, such as adware campaigns using SSL/TLS to deliver their payloads, in this research.
When the bulk of the enterprise network traffic is encrypted, it makes sense from the criminal perspective to also encrypt their activities since it would be harder for IT administrators to be able to tell the difference between bad and good traffic. Malware families are increasingly using SSL to encrypt the communications between the compromised endpoint and the command-and-control systems to hide instructions, payloads, and other pieces of information being sent. The number of payloads being sent over encrypted connections doubled in the first six months of 2017 compared to all of 2016, said Desai.
About 60 percent of malicious payloads using SSL/TLS for command and control (C&C) activity came from banking Trojan families such as Zbot, Vawtrak and Trickbot, Zscaler said. Another 12 percent were infostealer Trojan families such as Fareit and Papra. A quarter of the payloads came from ransomware families.
Phishing crews also use SSL/TLS, as they host their malicious pages on sites with legitimate certificates. Users think they are on a valid site, since they see the word “secure” or the padlock icon in the browser, not realizing those indicators just mean the certificate itself is valid and the connection is encrypted. There are no promises being made about the legitimacy of the site, or even that it is what it claims to be. The only way a user can tell the site is actually owned by the correct owner is to look at the actual certificate. Some browsers make it easier by displaying the domain owner’s name in the browser, instead of just the word “Secure” or the padlock.
Microsoft, LinkedIn, and Adobe are among the most commonly spoofed brands. Desai said he has seen phishing sites such as nnicrosoft.com (where the two ‘n’ next to each other look like an ‘m’). Other sites being abused by phishing crews include Amazon Seller, Google Drive, Outlook and DocuSign, Desai said.
[Related: Know the limits of SSL certificates]
Don’t blame free certificate authorities (CAs) such as Let’s Encrypt for the rise in attacks using SSL/TLS. While these services have made it much easier and faster for site owners to obtain SSL certificates, they aren’t the only ones mistakenly providing criminals with valid certificates. Desai said his team saw certificates from established CAs as well. While in some cases, the CAs issued certificates when they shouldn’t have, in most cases, the certificates were correctly issued. The criminals had hijacked and abused the legitimate sites—typically well-known cloud services such as Office 365, SharePoint, Google Drive and Dropbox—to host the payload and to collect the exfiltrated data.
For example, Desai described how the CozyBear attack group used PowerShell scripts to mount a hidden OneDrive partition on a compromised machine and copy all the data onto the hidden drive. All activity between the machine and the service, in this case OneDrive, is encrypted by default, and since OneDrive is frequently used for business reasons, IT departments don’t always notice the attacks. The attackers don’t need to fraudulently obtain a certificate, as OneDrive provides that level of protection for all users.
[Related: It's time to upgrade to TLS 1.3 already, says CDN engineer]
Encryption is not optional for enterprises, and because of that, they need to also think about SSL inspection. This can be provided by a cloud-based platform, such as what Zscaler offers, or by appliances that are deployed inline, such as those offered by Microsoft, Arbor Networks and Check Point (to name a few). Users need the assurance their information will not be intercepted by unauthorized parties when they are online, but enterprises need a way to tell which encrypted traffic contains user data and which ones carry malicious instructions. As more attacks rely on SSL/TLS to avoid scrutiny by traditional network monitoring tools, enterprises need to take steps to make sure all data is protected and that bad traffic isn’t sneaking past their defenses.