Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
09:30 AM
Connect Directly

Nearly Half of All Malware Is Concealed in TLS-Encrypted Communications

Forty-six percent of all malware uses the cryptographic protocol to evade detection, communicate with attacker-controlled servers, and to exfiltrate data, new study shows.

Threat actors have sharply ramped up use of the Transport Layer Security (TLS) cryptographic protocol to hide malware communications -- creating new challenges for enterprise security teams in the process.

A Sophos analysis of malware samples observed during the first three months of 2021 showed that 46%--or nearly half—of all malware that communicated with a remote system over the Internet used TLS for that purpose. This represents a 100% increase from 2020, when 23% of malware tools used TLS.

Related Content:

7 Old IT Things Every New InfoSec Pro Should Know

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

A major reason for the increase is the growing practice among cybercriminals to use legitimate TLS-protected cloud and Web services such as Google cloud services, Pastebin, Discord, and Github for hosting malware or storing stolen data, and for their command and communication operations. Also contributing to the growth is the increased use by attackers of Tor and other TLS-based network proxies to encrypt communications between malware and the threat actors behind them, Sophos said.

"The main takeaways are that there is no such thing as a 'safe' domain or service when screening for malware, and that more traditional firewall defenses based on reputation scanning without deep packet inspection cannot protect systems," says Sean Gallagher, senior threat researcher at Sophos.

The Sophos report is the latest to highlight the double-edged nature of mushrooming encryption use on the Internet. Over the past few years, privacy advocates, security experts, browser makers, and others have pushed for broad adoption of cryptographic protocols to protect Internet communications from spying and surveillance.

The efforts have resulted in the HTTPS protocol, which uses TLS, almost completely replacing the older HTTP protocol. According to Google—one of the most influential proponents of HTTPS—92% of the traffic that hits its online properties in the US uses TLS. The percentage is higher in other countries. In Belgium and India, for instance, 98% of the traffic to Google sites is encrypted; in Japan and Brazil, the number is 96%, and in Germany, 94%.

While the increased use of HTTPS and TLS overall—in email systems, VPNs, and other areas—has enabled greater privacy and security, it has also given attackers a way to use the same technology to hide their malware and malware communications from conventional detection mechanisms.

"There's nothing we can build that the bad guys can't use," says Internet pioneer Paul Vixie, the chairman, CEO, and co-founder of Farsight Security. A lot of the impetus behind TLS came from well-intentioned efforts to protect Internet users—especially in repressive countries—from having their online communications intercepted and snooped on by governments and their intelligence agencies. But the same technology has benefited attackers as well, he says. "There's no way to build technology that only benefits dissidents," he says. 

Variety of Malicious Use Cases
Sophos' analysis showed that attackers are using TLS to exfiltrate data, to carry out command-and-control communications, and to evade detection systems when distributing malware. Of that activity, a vast majority of the day-to-day malicious TLS traffic came from malware droppers, loaders, and malware tools downloading additional malware on already compromised systems.

In many instances, malware droppers and loaders used legitimate TLS-supported websites such as Pastebin, Discord, and GitHub to further disguise the traffic. Sophos pointed to a few examples, such as a PowerShell-based dropper for LockBit ransomware retrieving malicious scripts from a Google Docs spreadsheet via TLS, and the information-stealer AgentTesla grabbing additional code from Pastebin.

Sophos also observed an increase in the use of TLS in ransomware attacks, especially in instances where the malware was deployed manually. A lot of it stemmed from a surge in the use of offensive security toolkits such as Metasploit and Cobalt Strike to execute scripts, harvest system information, extract credentials, and carry out other malicious activities.

"We see TLS used predominantly in the first stages of a malware attack, and by tools focused on manually driven attacks," Gallagher says. "Most RATs and bot malware use other means to obfuscate or encrypt communications, such as hardcoded AES encryption or more simple custom-encoding."

In data exfiltration, meanwhile, threat actors are using malware that among other things can encapsulate stolen data in a TLS-based HTTPS POST or export it via a private TLS connection to Telegram, Discord, or other cloud service APIs, according to Sophos' study.

Google cloud services and India's BSNL are currently the two largest malware "callhome" destinations accounting for 9% and 8% of all malware TLS requests that Sophos observed. Overall, half of all malware-related TLS communications currently are directed to servers in the US and India.

Some of the malicious TLS traffic on enterprise networks use ports other than the standard IP ports: 443, 80, and 8080. So the full range of malicious TLS usage may be greater than what is observed on standard port numbers, Sophos concluded.

'Random Noise'
Farsight's Vixie says emerging standards such as the QUIC Internet transport protocol on which the next generation HTTP/3 is based, and DNS over HTTPS will complicate matters even further for enterprise security teams. Existing firewall technology and other detection mechanisms will be unable to detect malware concealed via these mechanisms. "No one will be able to understand what's going on," Vixie says. "All they will be able to see is pure random noise coming in," he says. "They won't be able to tell one bit of random noise from the other."

The trend will likely result in organizations being forced to older models where they allow nothing in, except what they know to be legitimate traffic: Instead of having firewalls sitting at the network edge, a proxy would sit at the border and inspect all traffic coming in and going out of the network. All packets coming from inside the network would need to disclose the destination, and policies would then be applied to determine whether to send it onward or to block it, he says.

Implementing such a model will likely be vastly inconvenient, Vixie says. Organizations instead may have to consider organizing their network topology so less sensitive data runs on the network with fewer controls, and sensitive data is placed behind a proxy.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file