SSL Encryption and How Criminals Exploits it for Malware Attacks

According to a cloud security firm headquartered in California says “Secure socket layer (SSL) encryption may be growing in popularity as organizations seek to protect their internet traffic but SSL encryption may not be as safe as it appears.”

It is now used to launch attacks, while free SSL encryption certificate can easily disguise the criminals’ movements. According to the company it blocks an average of 800,000 encryptions daily, which is a 30 percent increase compared to 2017.

Attackers are using SSL channels as part of the attack.

• It starts from compromised websites, malvertising, phishing pages, and malicious sites hosting the initial loading page;
• Use of SSL to deliver exploit and/or malware payloads leading to the exploit and/or malware delivery stage –
• Many prevalent malware families are using SSL based Command and Control communication protocol.

The senior director of research and security operations, from Zscaler, said: “Web properties, are quickly adopting SSL/TLS to curb privacy concerns, but without an inspection of encrypted traffic, enterprises run the risk of an attack.”

The company, Zscaler spotted distribution of new malicious payloads in its sandbox last year, and note the attackers were putting those flaws to good use. For communication, they leveraged SSL/TLS with their command & control server activity. Popular malware included banking Trojans, ransomware, and others (3%).

To understand how the attackers were using security certificates, it was found most of the website using security certificates was compromised websites. It even used it to deliver malicious content. It was investigated on all the three types of certificates: domain validated (DV), extended validation (EV) and organizational validation (OV), and found that (DV) which had a validity period of three months was not tightly maintained and was used in most of the cases.

35% had a validity period of fewer than three months, while 55% of the 2800 certificates had a validity period of fewer than 12 months.

According to Google’s Transparency Report, 80% of pages loaded with Chrome had HTTPS in December 2017, while Firefox reported 66.5%.

According to Zscaler, organizations don’t often inspect SSL traffic because they assume it comes from trusted sources. That has now changed and SSL is now a ‘significant’ blind spot for cyber defense, particularly as free certificates and less stringent vetting processes muddy the waters.

“SSL inspection can cause significant performance degradation on security appliances. These latest findings suggest that a multi-layer defense-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure,” Desai concludes.