CyberCrimeSecuritySecurity ManagementWorkspace

Big Rise In Malicious Encrypted Content, Zscaler Warns

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Encryption not so safe? Malicious SSL encrypted content has more than doubled in the last six months

Cloud security specialist Zscaler has revealed that malicious SSL encrypted content has more than doubled in the last six months.

In fact it has risen by 60 percent, a detail that should make system administrators pause and take note, as the overall percentage of encrypted traffic increases due to its perceived safety.

Indeed, this data reveals that attackers are now using SSL (also known as TLS or HTTPS) to disguise their activities, at a time when many organisations are not utilising any form of SSL inspection.

SSL LayerEncrypted Malware

Zscaler of course operates a globally distributed cloud security platform, and it has found that more than half of all internet traffic sent through its cloud is encrypted.

“Some of that traffic still uses the older Secure Sockets Layer (SSL) protocol, while a higher percentage uses the newer Transport Layer Security (TLS) protocol,” blogged Deepen Desai, senior director, security research and operations.

“Sessions for both are invoked with the ‘HTTPS’ website address prefix in your browser,” wrote Desai. “Because Zscaler examines the contents of all encrypted tra ic to detect malicious payloads, we have discovered that encryption is frequently used to mask malware and evade security detection tools.”

This is a sobering development for the security industry, if it turns out that encryption is now become the norm for harbouring the transmission of malware.

Zscaler said that it had blocked an average of 8.4 million SSL/TLS-based security threats daily in 2017. It had also blocked an average of 12,000 phishing attempts delivered over SSL/TLS daily in 2017 – an increase of 400 percent from 2016.

And it warned that while many firms have systems in place to detect and block attacks, SSL inspection is not always enabled due to excess costs or latency issues.

“Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications,” said Desai. “SSL inspection is a necessity in ensuring the security of network traffic in the enterprise.”

Encryption Inspection

He pointed out that Zscaler sits between users and the internet, and is able to inspect all types of data (included encrypted traffic), before it arrives in the customer’s network.

And it seems as though the Zscaler ThreatLabZ researchers have also identified new malicious payload distributions, from the data given off by unique payloads hitting the Zscaler Cloud Sandbox.

These are apparently utilising SSL/TLS for command and control (C&C) activity, and banking trojans make up 60 percent of the payloads.

And 25 percent were comprised of multiple ransomware families, as less popular payloads included Infostealer Trojan families and other miscellaneous families.

It should be noted that Zscaler is not the only firm offering protection from encrypted malware.

In June for example Cisco revealed that its ‘new network’ uses machine learning to detect malware in encrypted data.

And like Zscaler, Sophos has also previously warned that malware is using increasingly sophisticated techniques to evade detection.

Quiz: How much do you know about the cloud?