Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Encryption Offers Safe Haven for Criminals and Malware

The same encryption that secures private enterprise data also provides security to malware authors and criminal networks.

The same technology millions depend on to protect personal and confidential information — and that browsers highlight as crucial for secure browsing — is being used by threat actors to hide malicious payloads and criminal activity targeting corporations and individuals. And in many cases, organizations aren't doing anything to find out precisely what's going on inside their encrypted network tunnels.

Those are the conclusions reached in a pair of reports out just ahead of next week's RSA Conference, in San Francisco.

Gigamon ATR issued the "July-December 2018 Crimeware Trends Report" with a subtitle promising to tell readers "How The Most Prolific Malware Traversed Your Network Without Your Knowledge." Justin Warner, director of applied threat research at Gigamon, says the "how" is wrapped up in a simple statement: "What we discovered is you can't detect that you can't see."

Criminal use of encryption is the subject of Zscaler ThreatLabz report, "Zscaler Cloud Security Insights Report." "Everyone knows that the world is going to encrypted tunnels for privacy, but with the advent of free certificate providers, bad guys are able to take advantage, too," says Deepen Desai, vice president of security research and operations at Zscaler. 

Gigamon's research found that encryption is being used by several "classic" malware families, including Emotet, LokiBot, and TrickBot. In fact, according to the Gigamon report, two-thirds of the malware detected in the study period was one of these threee types. The reason these malware families are still being used is simple, Warner says: They remain effective, and developing new malware is expensive.

"These threats are still succeeding. They're still effective. They do a lot of work to evade. They do change up how they look, but, in general, they're still using the same malware," he explains. "It is expensive for an adversary to change up their entire operation, but our goal as professionals in the intelligence and research space is to force these threats to take on that cost. That is really how we as an industry will better dismantle them."

Zscaler's Desai says the three levels of certificate validation — domain validation, organization validation, and extended validation — leave room for criminals to obtain certificates for sites that appear legitimate but are not. In domain validation, for example, all individuals have to do is show they are the owner of a particular domain; no checking is done to make sure they have the legal right to the name.

"Attackers will register a new campaign, do an aggressive spam or malvertising campaign, then move on because the domain ends up in reputation block lists," Desai says. According to the Zscaler report, in 74% of the sites that are blocked for security reasons, the certificate is short-term, valid for less than a year.

While free certificate authorities, such as Let's Encrypt, were launched to allow legitimate sites to be protected by SSL/TLS, they have been used by malicious actors, as well, and in huge numbers. 

Desai is blunt about the consequences. "[As a result], we can no longer tell the users that the presence of a green padlock means you're visiting a safe site because the bad guys can get certificates, as well," he says.

According to the Zscaler report, 89% of the domains blocked on its networks for security reasons were encrypted with domain-validated certificates. The remaining 11% used organization validated certificates, while no sites employing extended validation certifcates were blocked.

While large enterprises see huge numbers of attacks, Gigamon's Warner says these visibility-based security issues aren't limited to big organizations. "These threats are not discriminatory — they're targeting businesses of all sizes and across verticals. They aren't picking any specific industry, and they aren't picking a specific target," he says.

The sites being attacked are getting hit by the legacy malware found by Gigamon, as well as an increasing amount of malware injected into the code of the Websites. "We've seen a lot of JavaScript skimmers injected into the page leveraging encrypted channels," Desai says.

At RSA, Desai says there will be two paths of discussion regarding these issues: the SSL certification side and traffic inspection. "On the SSL certificate side, there are more and more organizations moving away from domain verification certificates and going to higher verification, but we're still going at a slow pace," he says.

Both Warner and Desai say more organizations must be willing to build in processes and technologies to look inside the encrypted tunnels. With no safety in the green padlock, seeing as much as possible seems a necessary step to greater network security.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.