Encryption protocols like SSL and HTTPs are designed to protect us when surfing the web, but increasingly these tools are being used by cybercriminals to obfuscate their attacks, hide in networks and ultimately carry out more successful, prolonged attacks that evade detection.
Criminals are increasingly using encrypted channels to hide attacks or make them harder to disrupt.
The Zscaler 2020 State of Encrypted Attacks reported that encrypted cyber attacks have spiked by 260%, with over 6.5 billion threats hidden within encrypted traffic as of September 2020. Similarly, HTTPS connections are another avenue threat actors use to gain unauthorized access to vulnerable networks. Understanding how cybercriminals work, and the holes they look for in your network, is vital to establishing an efficient security strategy.
From encrypted databases to images (Steganography) to conversations between nefarious actors on the network, encryption is as much a tool for bad as for good. Here, we look at how cyber-criminals are using different encryption protocols to scale-up their attacks:
How SSL Is Used in Attacks
Attackers have long been using SSL channels as part of a full attack cycle, from delivering exploits/payloads to pointing victims to phishing pages/compromised sites in a bid to fake authenticity.
In addition, many malware families are using SSL-based command and control (C&C) to reduce the likelihood of defense interference, while attackers commonly look to encrypt and leak confidential data and files using SSL connections when in the exfiltration stage, again in a bid to reduce defense visibility and the likelihood of disruption.
And to date, criminals have been relatively successful of using SSL to hide big attacks, such as the Zeus botnet.
So, why is SSL proving so successful for cyber crimecybercrime? Well, simply put, organizations usually don’t often inspect SSL traffic because they assume that it comes from trusted sources. In short, they think it is secure and this, coupled with the increasing ease at which you can obtain legitimate SSL certificates, means that SSL is a common blind spot for CISOs and their teams.
Up to 80% of enterprise traffic is SSL encrypted, but that is no reason to drop the ball on cyber security. Zscaler stated in its report that “it’s increasingly important to recognize that SSL traffic is not necessarily secure traffic. Just as the use of encryption has increased, so has its use among adversaries to hide their attacks”.
Attackers are increasingly looking at how they can leverage SSL for the full delivery, from the start to the end. Take digital certificates as one example; recent research from Fidelis Security researcher Jason Reaves showed how it’s possible for SSL certificates to be used in such a way that they bypass traditional detection methods that don’t inspect certificate values.
In addition, a recent SSL Threat Report from Zscaler found that the number of SSL-encrypted transactions concealing advanced threats had increased by 30 percent in the second half of 2017260%, and there is a 500% increase in ransomware over SSL.
In its February 2018 SSL Threat Report, Zscaler tracked an average of 800,000 SSL-protected communications harboring malicious elements every day in H2 2017, marking a significant rise from 600,000 a day recorded over the previous six months.A significant trend that has resulted from the COVID-19 pandemic is the indiscriminate target of the healthcare industry. A staggering 26% of malware blocked on encrypted channels were impacting healthcare.
“No industry is immune to security threats” Zscaler’s report concluded. “As more traffic is encrypted, inspecting that traffic has become mission critical. A multilayered defense-in-depth strategy that fully supports SSL inspection is essential to ensure that enterprises are protected from escalating threats hiding in their encrypted traffic”.
Ultimately, whilst encryption is essential, you must maintain a tight control over the digital keys and cryptographic certificates that enable encryption. You should also inspect and decrypt traffic on a regular basis, so you can detect and stop attackers before they take advantage of encrypted systems.
How HTTPS Is Used in Attacks
HTTPS is fast becoming the standard of choice for safe web browsing. According to Netmarketshare, over 90 percent of all pages loaded in Chrome used HTTPS as of October 2019. The search giant is finally taking steps to penalize publishers and website creators who don’t make the switch over from HTTP, including secure (https://) websites that still load insecure HTTP sub resources.
Unfortunately, criminals are now creating attacks that rely on SSL to bypass corporate protections and infiltrate networks undetected. Hackers now use HTTPS encryption to cover their tracks and get past firewalls, sandboxing technologies, and behavior analytics tools. This is a stealthy and easy way to get malware onto the network without ringing any alarm bells.
There have been some notable attacks leveraging such techniques, including CryptoWall ransomware, and this is because defensive measures once thought effective are no longer properly doing their job. Firewalls, anti-malware solutions and IDS tools will often let HTTPS-traffic straight through, with even modern sandboxing technologies and behavioral analytics not configured to detect and neutralize HTTPS attacks.
The consequences of these attacks can be financially devastating. Cyber Security Ventures estimates that cost of ransomware cyber attacks will be as high as $20 billion by the end of 2021.
How can you prevent SSL attacks or HTTPS attacks?
The rising instance of cyber attacks and data breaches clearly demonstrates that there is no acceptable margin of error when it comes to machine identity management and network security. Protecting your keys and certificates, inspecting your traffic, and embracing automation to eliminate outages are all steps you need to be taking. Ready to get started?
(This blog has been updated. It was originally posted by Jack Walker on May 30, 2018.)