Cybercriminals are increasingly using encryption to launch attacks and evade detection, according to a new report from cloud security vendor Zscaler.
Threat actors use encryption protocols like Secure Sockets Layer and Transport Layer Security (TLS) to disguise malware, conceal malicious traffic and carry out phishing scams — thus fueling a rise in SSL threats — Zscaler’s semiannual Cloud Security Insights report found.
Zscaler blocked 2.7 million SSL-based phishing attacks over encrypted channels per month in 2018 — a 400% increase when compared with 2017, according to the report. Popular brands like Microsoft Office 365 and OneDrive were most often spoofed for phishing attacks, the report found, followed by Facebook, Amazon, Apple, Adobe, Dropbox and DocuSign.
A key factor behind the rise in SSL threats is the increase in organizations encrypting more of their environments, which allows such threats to blend in with legitimate activity, according to Ed Featherston, distinguished technologist at Cloud Technology Partners, based in Boston.
Featherston also said threat actors are taking advantage of a false sense of security that a valid certificate provides.
“A great example is websites and browsers,” he said. “When using HTTPS, the browser will show that a connection is secure, and the average user may think that means safe. The website could still contain malicious material — just that it’s being served up over a secure connection.”
The advent of free SSL certificate providers like Let’s Encrypt has made it very easy for the attackers to procure digital certificates, and it’s another contributing factor behind the increase in SSL threats, according to Deepen Desai, vice president of security research at Zscaler, based in San Jose, Calif.
“Hackers, in some ways, are the ultimate example of applying an agile model to their work, adapting quickly to the environment they are trying to breach,” Featherston said. “The increase in SSL-based threats is an example of this.”
ThreatLabZ — cloud security vendor Zscaler’s research group — analyzed encrypted traffic across the Zscaler cloud from July through December 2018 and found phishing scams were not the only threat taking advantage of SSL.
The Zscaler cloud blocked an average of 196 million instances of malicious content, including compromised websites, malicious redirect scripts and malvertising attempts, according to the report. Additionally, an average of 32 million botnet callback attempts and 240,000 browser exploitation attempts were blocked every month in 2018.
“Overall, internet traffic is moving toward encrypted channel, and it’s very likely that more and more attacks are going to get delivered through those encrypted channels,” Desai said.
Defending against SSL threats
Nearly 32% of all newly registered domains blocked by the Zscaler cloud were using SSL for serving content, Desai said.
Deepen Desaivice president of security research, Zscaler
“What will generally happen is, once you use a domain for any kind of attack, there will be a reputation that will get logged, and that domain will start featuring in various reputation-based block lists,” he said. “In order to improve the success and evade detection, the attackers will keep registering new domains and new certificates to launch spam campaigns, and then they will move on to a new one.”
Desai said the majority of the certificates involved in security blocks in the Zscaler cloud were issued by Let’s Encrypt, followed by Sectigo — formerly Comodo CA — and DigiCert, among others, and the vast majority of the certificates involved in the security blocks were domain-validated certificates (89%).
“Domain-validated certificates, by design, [are] very tough to secure, and they will continue to be abused,” Desai said. “Any organization that is risk-averse should start moving toward Organization Validated and Extended Validated certificate types, because it really helps the end user to differentiate between a phishing site versus a legitimate site.”
Apart from bolstering user training, Desai said, it is crucial that organizations have a balanced SSL traffic inspection strategy.
“The No. 1 thing that most enterprises should do is they should open up the SSL connection and inspect the content that is being delivered,” Desai said. “In this day and age when almost 80% of all internet traffic is encrypted, if you’re not opening those SSL connections, then you have a pretty big blind spot.”
Security strategies should always include mechanisms to detect and hopefully prevent attempts to send malicious content into an environment, Featherston said. Encrypting data in flight with SSL or TLS protects a company’s data, but also provides a potential level of protection and obscurity to malicious content entering their environment.
“Given that, having an SSL inspection strategy should be a key component of an overall security strategy,” he said. “There are a variety of tools and mechanisms out there for performing SSL inspection to examine for potentially malicious content before it reaches the intended target. Which tools are a classic depends on a business’s environment, what other security strategy components are in place and how they are executing their security protections.”