sb-eu logo
Story image

Criminals exploit SSL encryption & free certificates in malware attacks

12 Feb 2018

Secure socket layer (SSL) encryption may be growing in popularity as organisations seek to protect their internet traffic but SSL encryption may not be as safe as it appears, according to cloud security firm Zscaler.

SSL encryption is now a means to launch and hide attacks, while free certificates can easily disguise criminals’ movements, the company says. Its cloud platform blocks an average of 800,000 SSL encrypted transactions daily a 30% increase since the first half of 2017.

According to research, attackers are using SSL channels as part of a full attack cycle by:

A.   the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page;  B.   leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads C.    and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.

“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack,” explains Zscaler senior director of research and security operations, Deepen Desai.

Attackers are putting those flaws to good use – Zscaler spotted distribution of new malicious payloads in its sandbox last year, many of which leveraged SSL/TLS for communication with their command & control server activity.

Popular malware included banking Trojans (60%), ransomware (25%), Infostealer Trojans (12%) and others (3%).

The company delved deep into 6700 arbitrary SSL transactions to understand how attackers were using security certificates. Most of them were valid websites with compromised certificates, however in some cases attackers were making use of free certificates specifically for delivering malicious content.

To further study the use of how attackers exploited free certificates, Zscaler examined three certificate types: domain validated (DV), organisation validated (OV) and extended validation (EV).

Research found that DV certificates, which often have a validity period of three months and a less stringent vetting process, were used in 74% of cases in which Zscaler Cloud blocked SSL content.

55% of the 2800 certificates had a validity period of less than 12 months, while 35% had a validity period of less than three months.

According to Google’s Transparency Report, 80% of pages loaded in Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organisations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defence, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.

Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More