Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Encryption Offers Safe Haven for Criminals and Malware

The same encryption that secures private enterprise data also provides security to malware authors and criminal networks.

The same technology millions depend on to protect personal and confidential information — and that browsers highlight as crucial for secure browsing — is being used by threat actors to hide malicious payloads and criminal activity targeting corporations and individuals. And in many cases, organizations aren't doing anything to find out precisely what's going on inside their encrypted network tunnels.

Those are the conclusions reached in a pair of reports out just ahead of next week's RSA Conference, in San Francisco.

Gigamon ATR issued the "July-December 2018 Crimeware Trends Report" with a subtitle promising to tell readers "How The Most Prolific Malware Traversed Your Network Without Your Knowledge." Justin Warner, director of applied threat research at Gigamon, says the "how" is wrapped up in a simple statement: "What we discovered is you can't detect that you can't see."

Criminal use of encryption is the subject of Zscaler ThreatLabz report, "Zscaler Cloud Security Insights Report." "Everyone knows that the world is going to encrypted tunnels for privacy, but with the advent of free certificate providers, bad guys are able to take advantage, too," says Deepen Desai, vice president of security research and operations at Zscaler. 

Gigamon's research found that encryption is being used by several "classic" malware families, including Emotet, LokiBot, and TrickBot. In fact, according to the Gigamon report, two-thirds of the malware detected in the study period was one of these threee types. The reason these malware families are still being used is simple, Warner says: They remain effective, and developing new malware is expensive.

"These threats are still succeeding. They're still effective. They do a lot of work to evade. They do change up how they look, but, in general, they're still using the same malware," he explains. "It is expensive for an adversary to change up their entire operation, but our goal as professionals in the intelligence and research space is to force these threats to take on that cost. That is really how we as an industry will better dismantle them."

Zscaler's Desai says the three levels of certificate validation — domain validation, organization validation, and extended validation — leave room for criminals to obtain certificates for sites that appear legitimate but are not. In domain validation, for example, all individuals have to do is show they are the owner of a particular domain; no checking is done to make sure they have the legal right to the name.

"Attackers will register a new campaign, do an aggressive spam or malvertising campaign, then move on because the domain ends up in reputation block lists," Desai says. According to the Zscaler report, in 74% of the sites that are blocked for security reasons, the certificate is short-term, valid for less than a year.

While free certificate authorities, such as Let's Encrypt, were launched to allow legitimate sites to be protected by SSL/TLS, they have been used by malicious actors, as well, and in huge numbers. 

Desai is blunt about the consequences. "[As a result], we can no longer tell the users that the presence of a green padlock means you're visiting a safe site because the bad guys can get certificates, as well," he says.

According to the Zscaler report, 89% of the domains blocked on its networks for security reasons were encrypted with domain-validated certificates. The remaining 11% used organization validated certificates, while no sites employing extended validation certifcates were blocked.

While large enterprises see huge numbers of attacks, Gigamon's Warner says these visibility-based security issues aren't limited to big organizations. "These threats are not discriminatory — they're targeting businesses of all sizes and across verticals. They aren't picking any specific industry, and they aren't picking a specific target," he says.

The sites being attacked are getting hit by the legacy malware found by Gigamon, as well as an increasing amount of malware injected into the code of the Websites. "We've seen a lot of JavaScript skimmers injected into the page leveraging encrypted channels," Desai says.

At RSA, Desai says there will be two paths of discussion regarding these issues: the SSL certification side and traffic inspection. "On the SSL certificate side, there are more and more organizations moving away from domain verification certificates and going to higher verification, but we're still going at a slow pace," he says.

Both Warner and Desai say more organizations must be willing to build in processes and technologies to look inside the encrypted tunnels. With no safety in the green padlock, seeing as much as possible seems a necessary step to greater network security.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.