Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Encryption Offers Safe Haven for Criminals and Malware

The same encryption that secures private enterprise data also provides security to malware authors and criminal networks.

The same technology millions depend on to protect personal and confidential information — and that browsers highlight as crucial for secure browsing — is being used by threat actors to hide malicious payloads and criminal activity targeting corporations and individuals. And in many cases, organizations aren't doing anything to find out precisely what's going on inside their encrypted network tunnels.

Those are the conclusions reached in a pair of reports out just ahead of next week's RSA Conference, in San Francisco.

Gigamon ATR issued the "July-December 2018 Crimeware Trends Report" with a subtitle promising to tell readers "How The Most Prolific Malware Traversed Your Network Without Your Knowledge." Justin Warner, director of applied threat research at Gigamon, says the "how" is wrapped up in a simple statement: "What we discovered is you can't detect that you can't see."

Criminal use of encryption is the subject of Zscaler ThreatLabz report, "Zscaler Cloud Security Insights Report." "Everyone knows that the world is going to encrypted tunnels for privacy, but with the advent of free certificate providers, bad guys are able to take advantage, too," says Deepen Desai, vice president of security research and operations at Zscaler. 

Gigamon's research found that encryption is being used by several "classic" malware families, including Emotet, LokiBot, and TrickBot. In fact, according to the Gigamon report, two-thirds of the malware detected in the study period was one of these threee types. The reason these malware families are still being used is simple, Warner says: They remain effective, and developing new malware is expensive.

"These threats are still succeeding. They're still effective. They do a lot of work to evade. They do change up how they look, but, in general, they're still using the same malware," he explains. "It is expensive for an adversary to change up their entire operation, but our goal as professionals in the intelligence and research space is to force these threats to take on that cost. That is really how we as an industry will better dismantle them."

Zscaler's Desai says the three levels of certificate validation — domain validation, organization validation, and extended validation — leave room for criminals to obtain certificates for sites that appear legitimate but are not. In domain validation, for example, all individuals have to do is show they are the owner of a particular domain; no checking is done to make sure they have the legal right to the name.

"Attackers will register a new campaign, do an aggressive spam or malvertising campaign, then move on because the domain ends up in reputation block lists," Desai says. According to the Zscaler report, in 74% of the sites that are blocked for security reasons, the certificate is short-term, valid for less than a year.

While free certificate authorities, such as Let's Encrypt, were launched to allow legitimate sites to be protected by SSL/TLS, they have been used by malicious actors, as well, and in huge numbers. 

Desai is blunt about the consequences. "[As a result], we can no longer tell the users that the presence of a green padlock means you're visiting a safe site because the bad guys can get certificates, as well," he says.

According to the Zscaler report, 89% of the domains blocked on its networks for security reasons were encrypted with domain-validated certificates. The remaining 11% used organization validated certificates, while no sites employing extended validation certifcates were blocked.

While large enterprises see huge numbers of attacks, Gigamon's Warner says these visibility-based security issues aren't limited to big organizations. "These threats are not discriminatory — they're targeting businesses of all sizes and across verticals. They aren't picking any specific industry, and they aren't picking a specific target," he says.

The sites being attacked are getting hit by the legacy malware found by Gigamon, as well as an increasing amount of malware injected into the code of the Websites. "We've seen a lot of JavaScript skimmers injected into the page leveraging encrypted channels," Desai says.

At RSA, Desai says there will be two paths of discussion regarding these issues: the SSL certification side and traffic inspection. "On the SSL certificate side, there are more and more organizations moving away from domain verification certificates and going to higher verification, but we're still going at a slow pace," he says.

Both Warner and Desai say more organizations must be willing to build in processes and technologies to look inside the encrypted tunnels. With no safety in the green padlock, seeing as much as possible seems a necessary step to greater network security.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.