What Lies Beneath: Advanced Cyber Attacks that Hide in SSL Traffic

By   ISBuzz Team
Writer , Information Security Buzz | Feb 16, 2016 06:00 pm PST

No company is immune to the risk of cyber attacks and the resulting loss of customer information. Network security solutions can reduce the risk of attack, but these solutions face an unexpected adversary: SSL encryption.

While SSL encryption improves privacy and integrity, it also creates a blind spot in corporate defences. Today, roughly half of all Internet traffic is encrypted, and this figure is expected to reach 67 per cent by 2016.

Attacks hiding in SSL traffic are on the rise. Since Edward Snowden’s revelation in 2013, SSL encryption has become all the rage for both application owners and hackers. For good reason, given encryption improves security by providing data confidentiality and integrity. It’s also led to the rise of movements like “Let’s Encrypt,” the free, automated and open certificate authority (CA) provided by the Internet Security Research Group (ISRG).

Unfortunately, encryption also allows hackers to conceal their exploits to sneak past security devices like firewalls, intrusion prevention systems and data loss prevention platforms. Some of these products cannot decrypt SSL traffic without degrading performance, while others simply cannot decrypt SSL traffic at all because of their location in the network. As a result, hackers are taking advantage of movements like Let’s Encrypt to generate SSL certificates to sign malicious code or to host malicious HTTPS sites.

One way to counter the threat is for organisations to decrypt and inspect inbound and outbound traffic. A dedicated SSL inspection platform will enable third-party security devices to eliminate the blind spot in corporate defences. But first, we need to understand the three common ways that malware developers use encryption to escape detection.

Escape the encryption labyrinth

  • Zeus Trojan: Since its discovery in 2007, Zeus Trojan continues to be one of the most prevalent and dangerous financial malware around. The Zeus attack toolkit is widely used by criminal groups to develop variants that are even more sophisticated. Between 2012 and 2014, the number of infections and its variants grew tenfold. One of the deadliest variety is the peer-to-peer botnet Gameover Zeus, which leverages encryption for both malware distribution and command and control (C&C) communications.
  • Command and control updates from social media sites: Our growing obsession of social sharing has no doubt attracted the attention of hackers too. New malware strains use social networks, such as Twitter and Facebook, and web-based email for command and control communications. For instance, malware can receive C&C commands from malicious Twitter accounts or comments on Pinterest, which encrypt all communications. To detect these botnet threats, organisations need to decrypt and inspect SSL traffic, otherwise security analysts might unwittingly view access to client machines through social media sites as harmless.
  • Remote Access Trojan (RAT): Online email accounts such as Gmail and Yahoo! Mail have lately become incubators for a remote access Trojan (RAT) that receives C&C commands. The malware works by attempting to evade detection by not quite sending emails. With both Gmail and Yahoo! Mail encrypting traffic, malware developers use this to evade detection. The onus therefore is on organisations to decrypt and inspect their own traffic to these email sites, or malware will pass them by.

Stay ahead of the game

Encryption today accounts for roughly one-third of all Internet traffic, and it’s expected to reach two-thirds of all traffic next year when Internet powerhouses like Netflix transition to SSL. As a result, encrypted traffic will become the “go-to” way of distributing malware and executing cyber attacks.

Whether sharing a malicious file on a social networking site or attaching malware to an email or instant message, cyber criminals are hiding their attacks using SSL traffic to circumvent existing security controls. It is imperative that CIOs and IT managers familiarise themselves with solutions that uncover hidden threats in encrypted traffic, and invest in data protection that decrypts and inspects all SSL traffic.

[su_box title=”About A10 Networks” style=”noise” box_color=”#336588″]A10 NetworksA10 Networks is a leader in application delivery networking, providing a range of high-performance application networking solutions that help organisations ensure that their data centre applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.[/su_box]