SSL was introduced in 1994 and TLS in 1999 in response to growing concerns on the security of data being transmitted over the internet. However, the very protocol that was heralded as the ultimate cyber guard has ironically become an increasingly popular tool for cybercriminals to hide their nefarious acts. SSL encrypted traffic is often not inspected by organizations because it is assumed to come from trusted sources, however, that is no longer the case. While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free.
In this bi-annual research update, Zscaler ThreatLabZ examines SSL trends for the latter half of 2017. As the amount of SSL traffic continues to grow, cybercriminals are increasingly using encryption to launch and hide attacks, and free certificates have become an easy disguise for attackers.
According to Google’s Transparency Report, during the month of December the percentage of pages loaded over HTTPS in Chrome in the US was nearly 80 percent, while on December 1, 2017, Mozilla reported that 66.5% of all pages loaded on Firefox were using HTTPS. In fact, since July 2017, the amount of SSL encrypted traffic on the Zscaler Cloud has increased by 10% to a total of 70% of all web traffic.
Threats in SSL Increase by 30%
Further, the Zscaler cloud now blocks an average of 800,000 SSL encrypted transactions per day because they contain advanced threats. This number is a 30% increase in just the last six months; in the first half of 2017, the average was 600,000 threats daily.
ThreatLabZ has seen that the SSL encrypted channel continues to be leveraged by the cybercriminals in the full attack cycle starting with
- the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page;
- leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads;
- and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol.
Phishing Site Activity Jumps 300%
There was a significant increase, nearly 300%, in phishing attacks delivered over SSL in the Zscaler Cloud in 2017. Malicious content was delivered in various ways, but ThreatLabZ found two patterns more dominant than others. One method uses a phishing page hosted on a legitimate domain that has been compromised to deliver malware. Another method witnessed by our research team leverages newly registered domains with similar but incorrect addresses that are programmed to imitate the web sites of well-known brands. Some of the brands cybercriminals chose to imitate include DocuSign, Microsoft, Apple and Dropbox.
Diverse and Evolving Malware Payloads
ThreatLabZ saw the distribution of new, unique malicious payloads in the Zscaler Cloud Sandbox in the second half of 2017 that were leveraging SSL/TLS for communication with command and control (C&C) server activity, including malicious documents, APKs, and executables. Interestingly, the distribution of the types of malicious payloads remained the same as in the first half of 2017: 60% were Banking Trojan families, including Dridex, Emotet, Trickbot, Zbot, etc.; 25% were comprised of ransomware families; 12% were comprised of Infostealer Trojan families, including Fareit, Papras, etc.; and the last 3% were smaller families. Many of these payloads were also delivered over SSL/TLS from such sites as Box, Dropbox, AWS, and Google.
Certain Certificates Are More Popular Vectors
In this update, ThreatLabZ investigated an arbitrary set of approximately 6,700 recent SSL transactions to gain deeper insight into the certificates involved. While the majority of these cases involved legitimate sites with valid certificates being compromised, there were also cases where free short-lived certificates were leveraged by the bad actors specifically to deliver malicious content.
ThreatLabZ then examined three types of certificates in a random sample of over 2800 certificates between November and December – domain validated (DV), organization validated (OV) and extended validation (EV) – to understand which, if any, were most prevalent in the malicious transactions. What they learned was that DV certificates, which sometimes have a shorter validity period of three months and a less stringent vetting process, are the most abused certificates by cybercriminals. In fact, DV certificates, usually those that are free, were used in 74% of the cases in which SSL content was blocked in the Zscaler Cloud. Of the certificates inspected, 55% had a validity period of less than 12 months, with 35% of those having a validity period of three months or less. CAs responsible for distributing SSL certificates that the Zscaler Cloud blocked included a majority of the well-known authorities, including free as well as commercial CAs.
Web properties are quickly adopting SSL/TLS to curb privacy concerns, but without inspection of encrypted traffic, enterprises run the risk of an attack. Yet, SSL inspection can cause significant performance degradation on security appliances. A multi-layer defense-in-depth strategy that fully supports SSL/TLS inspection is essential to ensure enterprises are secure. Read more about Zscaler’s SSL Inspection here.