Story image

Criminals exploit SSL encryption & free certificates in malware attacks

12 Feb 18

Secure socket layer (SSL) encryption may be growing in popularity as organisations seek to protect their internet traffic but SSL encryption may not be as safe as it appears, according to cloud security firm Zscaler.

SSL encryption is now a means to launch and hide attacks, while free certificates can easily disguise criminals’ movements, the company says. Its cloud platform blocks an average of 800,000 SSL encrypted transactions daily a 30% increase since the first half of 2017.

According to research, attackers are using SSL channels as part of a full attack cycle by:

A.   the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page; 
B.   leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads
C.    and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.

“Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack,” explains Zscaler senior director of research and security operations, Deepen Desai.

Attackers are putting those flaws to good use – Zscaler spotted distribution of new malicious payloads in its sandbox last year, many of which leveraged SSL/TLS for communication with their command & control server activity.

Popular malware included banking Trojans (60%), ransomware (25%), Infostealer Trojans (12%) and others (3%).

The company delved deep into 6700 arbitrary SSL transactions to understand how attackers were using security certificates. Most of them were valid websites with compromised certificates, however in some cases attackers were making use of free certificates specifically for delivering malicious content.

To further study the use of how attackers exploited free certificates, Zscaler examined three certificate types: domain validated (DV), organisation validated (OV) and extended validation (EV).

Research found that DV certificates, which often have a validity period of three months and a less stringent vetting process, were used in 74% of cases in which Zscaler Cloud blocked SSL content.

55% of the 2800 certificates had a validity period of less than 12 months, while 35% had a validity period of less than three months.

According to Google’s Transparency Report, 80% of pages loaded in Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organisations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defence, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defence-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.