Story image

Criminals exploit SSL encryption & free certificates in malware attacks

12 Feb 2018

Secure socket layer (SSL) encryption may be growing in popularity as organisations seek to protect their internet traffic but SSL encryption may not be as safe as it appears, according to cloud security firm Zscaler.

SSL encryption is now a means to launch and hide attacks, while free certificates can easily disguise criminals’ movements, the company says. Its cloud platform blocks an average of 800,000 SSL encrypted transactions daily a 30% increase since the first half of 2017.

According to research, attackers are using SSL channels as part of a full attack cycle by:

A.   the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page;  B.   leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads C.    and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.

“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack,” explains Zscaler senior director of research and security operations, Deepen Desai.

Attackers are putting those flaws to good use – Zscaler spotted distribution of new malicious payloads in its sandbox last year, many of which leveraged SSL/TLS for communication with their command & control server activity.

Popular malware included banking Trojans (60%), ransomware (25%), Infostealer Trojans (12%) and others (3%).

The company delved deep into 6700 arbitrary SSL transactions to understand how attackers were using security certificates. Most of them were valid websites with compromised certificates, however in some cases attackers were making use of free certificates specifically for delivering malicious content.

To further study the use of how attackers exploited free certificates, Zscaler examined three certificate types: domain validated (DV), organisation validated (OV) and extended validation (EV).

Research found that DV certificates, which often have a validity period of three months and a less stringent vetting process, were used in 74% of cases in which Zscaler Cloud blocked SSL content.

55% of the 2800 certificates had a validity period of less than 12 months, while 35% had a validity period of less than three months.

According to Google’s Transparency Report, 80% of pages loaded in Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organisations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defence, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.

Story image
16 Dec
75% of DevOps professionals say certificate issuance policies slow them down
Less than half of DevOps professionals believe developers always request certificates that serve as machine identities through authorised channels.More
Story image
09 Dec
Unisys delivers new cloud security features on AWS
These automated capabilities of CloudForte help clients enhance security and optimise operations for workloads delivered on AWS as well as in hybrid- and multi-cloud environments.More
Story image
09 Dec
Gartner names Fortinet a Challenger in WAN Edge Infrastructure
Fortinet was also recently named by Gartner as one of the highest three vendors in worldwide market share for enterprise SD-WAN equipment by revenue for Q2 2019.More
Story image
19 Dec
BitSight enhances fourth-party risk management solution
BitSight for Fourth-Party enables customers to identify areas of business and cyber risk. It does this by automatically pinpointing connections between any organisation, its business partners, and potentially risky fourth parties.More
Story image
20 Dec
Kaspersky: Malware variety grows by 13.7% in 2019 due to web skimmers
“The volume of online attacks has been growing for years, but in 2019 we saw a clear shift from certain types of attacks that are becoming ineffective, to the ones focused on gaining clear profit from users."More
Story image
18 Dec
Kiwi ambivalence to fake news leads to millions lost to cyber criminals
"With massive increases in scams and phishing, criminals are benefiting from Kiwis cyber ambivalence, stealing more than $3.8 million in the last quarter alone."More