Story image

Criminals exploit SSL encryption & free certificates in malware attacks

12 Feb 18

Secure socket layer (SSL) encryption may be growing in popularity as organisations seek to protect their internet traffic but SSL encryption may not be as safe as it appears, according to cloud security firm Zscaler.

SSL encryption is now a means to launch and hide attacks, while free certificates can easily disguise criminals’ movements, the company says. Its cloud platform blocks an average of 800,000 SSL encrypted transactions daily a 30% increase since the first half of 2017.

According to research, attackers are using SSL channels as part of a full attack cycle by:

A.   the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page; 
B.   leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads
C.    and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.

“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack,” explains Zscaler senior director of research and security operations, Deepen Desai.

Attackers are putting those flaws to good use – Zscaler spotted distribution of new malicious payloads in its sandbox last year, many of which leveraged SSL/TLS for communication with their command & control server activity.

Popular malware included banking Trojans (60%), ransomware (25%), Infostealer Trojans (12%) and others (3%).

The company delved deep into 6700 arbitrary SSL transactions to understand how attackers were using security certificates. Most of them were valid websites with compromised certificates, however in some cases attackers were making use of free certificates specifically for delivering malicious content.

To further study the use of how attackers exploited free certificates, Zscaler examined three certificate types: domain validated (DV), organisation validated (OV) and extended validation (EV).

Research found that DV certificates, which often have a validity period of three months and a less stringent vetting process, were used in 74% of cases in which Zscaler Cloud blocked SSL content.

55% of the 2800 certificates had a validity period of less than 12 months, while 35% had a validity period of less than three months.

According to Google’s Transparency Report, 80% of pages loaded in Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organisations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defence, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.