You’d think that encrypted network traffic protects from most cybersecurity threads – unfortunately, you’d have to think again. Cybercriminals are increasingly using encrypted traffic to sneak malware or ransomware past security tools. How much of the problem these kind of threats have become can be read in the “State of Encrypted Attacks” report by Zscaler. We spoke with Deepen Desai, VP of Security Research & Operations at Zscaler about the research.
Cybersecurity Magazine: How has the situation developed with regard to encrypted data traffic and the threat to security overall?
Deepen Desai: Our annual report shows that Secure Sockets Layer (SSL)-based threats are on the rise and becoming ever-more advanced. We recorded a 260 percent year-on-year increase in threats concealed behind SSL encryption in the period from March to September 2020 alone, compared to the same period in 2019. This rise proves that even data traffic flowing through encrypted channels cannot automatically be considered secure. We need to rethink our approach, because simply seeing the “lock” symbol in the browser no longer guarantees security. In fact, it might even have the opposite effect by giving the user a false sense of security.
Cybersecurity Magazine: What are the key takeaways from the SSL-based threats section of the report?
Deepen Desai: The encryption of internet traffic via SSL and its more up-to-date counterpart Transport Layer Security (TLS) are the global standards for protecting data during transmission. Today, over 80 percent of internet-based data traffic is transmitted in an encrypted format. The problem is that cybercriminals also use encryption to hide all kinds of malware and other exploits behind encrypted traffic.
What makes these attacks so dangerous is that the exploit or concealed malware remains undetected if the encrypted data traffic is not inspected and scanned.
We also saw a staggering 500 percent increase in ransomware over the same time period – a clear indicator that companies need to adapt to new attacker trends. These ransomware attacks are also becoming more sophisticated. Often, attackers manage to exfiltrate data from their victims before it is even encrypted. This makes the attacker’s blackmail even more effective, as they can also threaten to publish this confidential data.
Cybersecurity Magazine: Why is SSL so attractive as a point of entry for cybercriminals?
Deepen Desai: While SSL/TLS encryption is now the industry standard for protecting data against prying eyes during transmission, it has also become a blind spot when it comes to threat detection. It is often used by attackers to get malware past security tools that do not perform SSL/TLS inspection. Also, with the advent of free SSL certificate providers like Lets Encrypt, it has become very easy for an attacker to setup a site with SSL.
Cybersecurity Magazine: Which types of attacks are most prevalent and how have these attacks evolved?
Deepen Desai: Two areas stood out in this year’s research. 30 percent of identified attacks took place via data storage services. This includes cloud-based file-sharing services such as Google Drive, OneDrive, AWS and Dropbox; in March to September of 2020, SSL-encrypted attacks abusing these services almost doubled in number. Using popular and well-trusted services as a vehicle for the attack increases the chance that the user will click on the malicious links and set the infection cycle in motion.
It is therefore no surprise that ransomware attacks increased so sharply year-on-year. The health sector was a major target: Of the 6.6 billion attacks analysed, over a quarter (25.5 percent) were targeted at the health sector, followed by finance and insurance at 18.3 percent and the manufacturing sector, which experienced 17.4 percent of the attacks.
Cybersecurity Magazine: What role does phishing play? Is phishing used in different ways in different sectors?
Deepen Desai: Domain squatting and homograph attacks, which aim to create exact copies of popular and legitimate websites, are common end goals of phishing attacks. The perpetrators are aiming to exploit the trust we place in well-known names and brands to steal credentials or disseminate malware. These types of campaigns are not sector-specific; they target the most popular brands to victimise as many users as possible. The websites at these domains are virtually indistinguishable from the originals – while also using SSL/TLS encryption.
Our investigation highlighted that brands most frequently targeted by phishing attacks via encrypted channels are: Microsoft is top of the list at 36%, followed by PayPal (15%) and Google (10%). Other services that proved attractive to fraudsters were “Technical Support” (17%) and web mail (12%).
Cybersecurity Magazine: What role do attacks that take place via trusted cloud providers like Microsoft, AWS and Google play? What do these kinds of attacks look like in practice?
Deepen Desai: Today’s organisations are faced with a dilemma: Traditional security hardware is a limiting factor when it comes to scanning all SSL traffic, which means that they are forced to compromise when analysing SSL-encrypted traffic. Cloud-based file sharing services such as AWS, Google Drive, OneDrive and Dropbox are a good example. These are powerful tools that help employees to collaborate and boost productivity, and usage of these services increased during this year’s health crisis.
In this type of attack, the perpetrators create file-sharing URLs that lead to malicious content, and services like Google Drive and Dropbox are abused for hosting malicious content as part of an email phishing campaign. This approach removes the need for the attacker to attach malicious files to emails – which most users have been trained to spot. As the content is hosted on a legitimate file-sharing site, it benefits from a basic level of trust. Compromised employee systems can rapidly increase the reach of the attack.
Cybersecurity Magazine: Have attacks evolved in the context of the pandemic?
Deepen Desai: Cybercriminals have proved this year that they unfortunately will not make exceptions for ethical reasons; even during the COVID pandemic, they targeted the health sector with encrypted advanced threat attacks. It’s no wonder that the critical areas of telecommunications and healthcare were most severely affected by these targeted attacks, and we saw a steep rise in ransomware attacks in 2020. Ransomware families such as FileCrypt/FileCoder variants, Sodinokibi, Maze and Ryuk came up most frequently in our research. One of the new tactics that many of these ransomware gangs like Maze, Sodinokibi, Ryuk, and many others have adopted since late 2019 is that they will exfiltrate sensitive data from the victim organization before encrypting the file and demanding ransom. This double extortion tactic means even if the victim organization has good backup hygiene and is able to recover from the ransomware attack, the cybercriminals will threaten to leak the exfiltrated data if ransom is not paid.