The number of SSL-encrypted transactions concealing advanced threats increased by 30 percent in the second half of 2017, reveals a report.
In its February 2018 SSL Threat Report, Zscaler tracked an average of 800,000 SSL-protected communications harboring malicious elements every day in H2 2017. That's up from 600,000 each day over the previous six months.
SSL/TLS Certificates and Their Prevalence on the Dark Web
The report notes that computer criminals abuse SSL across the entire lifecycle of their attacks. They begin with a delivery vector such as phishing, which grew 300% in 2017. Many of these pages are hosted on a legitimate domain where nefarious individuals have compromised the site's digital certificate.
Next, the campaigns deliver their malicious payloads over SSL/TLS from Dropbox, AWS, and others. Banking trojans such as Dridex and Emotet made an appearance in approximately sixty percent of attacks. They were followed by ransomware families in a quarter of cases and infostealers at 12 percent of campaigns.
Upon successful installation, those threats also use encrypted communications to receive commands from their command and control (C&C) servers.
Deepen Desai, director of security research at Zscaler, explains these types of attacks reflect the ability of bad actors to abuse SSL for nefarious purposes:
"While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free."
Indeed, Zscaler found that most websites in an arbitrary sampling of 6,800 attacks involved a valid certificate that malefactors compromised. Other campaigns used short-lived attacks specifically to deliver malware.
Concurrently, the cloud-based information security company detected domain validated (DV) certificates in 74% of attacks. It reasons the rate is so high given the comparatively shorter validity period, laxer vetting process, and lower price (sometimes free) of DV certificates over the more trustworthy organization validation (OV) and extended validation (EV) certificates.
Acknowledging those threats, Zscaler recommends that organizations use a multi-layer defense that ideally includes HTTPS inspection done well to protect their certificates.
Find out why you need machine identity management
Related blogs