As the amount of SSL traffic continues to grow, cybercriminals are increasingly using encryption to launch and hide attacks, and free certificates have become an easy disguise for attackers. That’s according to Zscaler’s bi-annual ThreatLabZ research update which examined SSL trends for the latter half of 2017.
The Zscaler cloud reports it now blocks an average of 800,000 SSL encrypted transactions per day because they contain advanced threats. This number is a 30 per cent increase in just the last six months; in the first half of 2017, the average was 600,000 threats daily.
ThreatLabZ has seen that the SSL encrypted channel continues to be leveraged by the cybercriminals in the full attack cycle starting with:
A. the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page;
B. leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads
C. and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.
Key ThreatLabZ findings include:
– Phishing Site Activity Jumps 300 Per Cent
There was a significant increase, nearly 300 per cent in phishing attacks delivered over SSL in the Zscaler Cloud in 2017. Malicious content was delivered in various ways, but ThreatLabZ found two patterns more dominant than others. One method uses a phishing page hosted on a legitimate domain that has been compromised to deliver malware. Another method witnessed leverages newly registered domains with similar but incorrect addresses that are programmed to imitate the web sites of well-known brands. Some of the brands cybercriminals chose to imitate include DocuSign, Microsoft, Apple and Dropbox.
– Diverse and Evolving Malware Payloads
ThreatLabZ saw the distribution of new, unique malicious payloads in the Zscaler Cloud Sandbox in the second half of 2017 that were leveraging SSL/TLS for communication with command and control (C&C) server activity, including malicious documents, APKs, and executables.
Interestingly, the distribution of the types of malicious payloads remained the same as in the first half of 2017: 60 percent were Banking Trojan families, including Dridex, Emotet, Trickbot, Zbot, etc.; 25 per cent were comprised of ransomware families; 12 per cent were comprised of Infostealer Trojan families, Including Fareit, Papras, etc.; and the last three per cent were smaller families. Many of these payloads were also delivered over SSL/TLS from such sites as Box, Dropbox, AWS, and Google.
– Certain Certificates Are More Popular Vectors
ThreatLabZ investigated an arbitrary set of approximately 6,700 recent SSL transactions to gain deeper insight into the certificates involved. While the majority of these cases involved legitimate sites with valid certificates being compromised, there were also cases where free short-lived certs were leveraged by the bad actors specifically to deliver malicious content.
ThreaLabZ then examined three types of certificates in a random sample of over 2,800 certificates between November and December – domain validated (DV), organisation validated (OV) and extended validation (EV) – to understand which, if any, were most prevalent in the malicious transactions. What they learned was that DV certificates, which sometimes have a shorter validity period of three months and a less stringent vetting process, are the most abused certificates by cybercriminals. In fact, DV certificates, usually those that are free, were used in 74 per cent of the cases in which SSL content was blocked in the Zscaler Cloud. Of the certificates inspected, 55 per cent had a validity period of less than 12 months, with 35 per cent of those having a validity period of three months or less. CAs responsible for distributing SSL certificates that the Zscaler Cloud blocked included a majority of the well-known authorities, including free as well as commercial CAs.
Deepen Desai, Senior Director of Research and Security Operations, Zscaler, said, “Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack. Yet, SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defense-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure.”
According to Google’s Transparency Report (https://transparencyreport.google.com/https/overview), during the month of December the percentage of pages loaded over HTTPS in Chrome in the US is nearly 80 percent, while on December 1, 2017, Mozilla reported that 66.5 per cent of all pages loaded on Firefox were using HTTPS. In fact, since July 2017, the amount of SSL encrypted traffic on the Zscaler Cloud has increased by 10 per cent to a total of 70 percent of all web traffic.
SSL was introduced in 1994 and TLS in 1999 in response to growing concerns on the security of data being transmitted over the internet. However, the very protocol that was heralded as the ultimate cyber guard has ironically become an increasingly popular tool for cybercriminals to hide their nefarious acts.
SSL encrypted traffic is often not inspected by organisations because it assumed to come from trusted sources, however, that is no longer the case. While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free.
Read more about Zscaler’s SSL Inspection here: https://www.zscaler.com/products/ssl-inspection