Story image

Criminals exploit SSL encryption & free certificates in malware attacks

12 Feb 2018

Secure socket layer (SSL) encryption may be growing in popularity as organisations seek to protect their internet traffic but SSL encryption may not be as safe as it appears, according to cloud security firm Zscaler.

SSL encryption is now a means to launch and hide attacks, while free certificates can easily disguise criminals’ movements, the company says. Its cloud platform blocks an average of 800,000 SSL encrypted transactions daily a 30% increase since the first half of 2017.

According to research, attackers are using SSL channels as part of a full attack cycle by:

A.   the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page;  B.   leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads C.    and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.

“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack,” explains Zscaler senior director of research and security operations, Deepen Desai.

Attackers are putting those flaws to good use – Zscaler spotted distribution of new malicious payloads in its sandbox last year, many of which leveraged SSL/TLS for communication with their command & control server activity.

Popular malware included banking Trojans (60%), ransomware (25%), Infostealer Trojans (12%) and others (3%).

The company delved deep into 6700 arbitrary SSL transactions to understand how attackers were using security certificates. Most of them were valid websites with compromised certificates, however in some cases attackers were making use of free certificates specifically for delivering malicious content.

To further study the use of how attackers exploited free certificates, Zscaler examined three certificate types: domain validated (DV), organisation validated (OV) and extended validation (EV).

Research found that DV certificates, which often have a validity period of three months and a less stringent vetting process, were used in 74% of cases in which Zscaler Cloud blocked SSL content.

55% of the 2800 certificates had a validity period of less than 12 months, while 35% had a validity period of less than three months.

According to Google’s Transparency Report, 80% of pages loaded in Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organisations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defence, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.

Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.