CyberWire Daily - SSL-based threats remain prevalent and are becoming increasingly sophisticated. [Research Saturday]
Episode Date: December 5, 2020While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past sec...urity tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk. Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai. The research can be found here: 2020: The State of Encrypted Attacks Blog 2020: The State of Encrypted Attacks Report Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So the report that we pushed out is specifically focused on encrypted attacks. And these are attacks that leverage SSL TLS connection
to basically hide from legacy security controls
that are not able to open those TLS connections.
That's Deepan Desai.
He's CISO and VP of Security Research and Operations at Zscaler.
He shares the research he and his team have been conducting on ransomware,
specifically the RIAC strain.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, for folks who might not be familiar with some of the terms there, can you give us a little
bit of the background? What are we talking about here?
So SSL TLS is basically transport layer secure protocol that allows you to encrypt the data that flows between the client and the server. And the easiest way you can spot that is by looking for the HTTPS in the URL. And there should be a padlock sign appearing on
the left as well. That kind of indicates that the connection that you're making to the destination
is over TLS. I see. Well, let's go through the report together. I mean, what were some of the
key findings that you had? So one of the key findings is we looked at all the traffic that flows through Zscaler Cloud
and over 80% of all internet-bound traffic is now encrypted.
That means all of this traffic is leveraging HTTPS.
And one of the alarming numbers that we saw was 6.6 billion threats were blocked in the first nine months of 2020.
And these were threats that were being delivered over HTTPS.
So if you don't open those TLS connections, then you're, and the right term is,
if you don't perform SSL inspection,
you will basically be blind to any of those bad payloads,
malicious scripts that are flowing in those HTTPS connections.
So the fact that a lot of the Zscaler customers
are opening those CLS connections
and allowing us to inspect the payloads and traffic
meant we were able to identify and block
6.6 billion threats over encrypted channel.
Wow.
Well, can you give us a little bit of insight here
as to how exactly that happens?
Because I think we all understand that the point of encrypted traffic is to keep out prying eyes.
So how do you have encrypted traffic but also have the ability to inspect it?
So the way it works is you need a proxy-based architecture where you terminate the connection at the proxy,
and then the proxy makes a connection on your behalf to the destination.
And the standard TLS certificate
handshake and all of that will happen between the client and the proxy
and the proxy and the destination. This will allow us to
basically inspect all the payloads as well as the content
that's flowing through the HTTPS.
Well, let's dig in and talk about some of the things that you detected.
I mean, what sort of payloads are prominent here?
So what we saw was the bad actors were leveraging the encrypted channel throughout the attack cycle. So starting with things like phishing attacks, where the goal is to steal credentials or
to lower the user into clicking or downloading something and compromising their systems.
The second stage where there is an exploit taking place where the bad actors are trying
to exploit a vulnerability on the user system.
So delivery of those exploit payloads were also found to be happening over encrypted the bad actors are trying to exploit a vulnerability on the user system.
So delivery of those exploit payloads were also found to be happening over encrypted channel. We also noticed malware payloads being hosted on popular cloud storage service providers
like AWS, Google, Dropbox, Box, in order to, again, get past legacy security controls that are not inspecting
as self-traffic.
And then finally, once the infection happens, we also noticed several malware families that
were leveraging the encrypted channel to perform CNC, command and control activity.
And this is also used to exfiltrate data from the compromised systems.
Now, who are they targeting here? What sort of organizations are being hit the most?
Great question. So we did look at the industry verticals, and that was one of the key findings
as well. Like 1.6 billion encrypted threats were targeting healthcare.
And we were all thinking that because of the pandemic situation, healthcare will not be
targeted as much.
But again, that was the number one target.
In fact, the healthcare portion represented, I believe, 26% of overall encrypted attacks that were
seen in the first nine months of 2020.
I would say the top three brands that we saw, number one was Microsoft, where all the web
properties like Office 365, SharePoint, OneDrive were being targeted in the phishing attacks. We also saw several instances of tech support scams where the bad guys will show a pop-up
to the victim saying that their machine is infected or it has a problem and they need
to pay Microsoft tech support, which is obviously a scam, in order to repair the error.
And then the third brand that we saw was PayPal.
So it's spread across both corporate services as well as consumer side services.
And the goal is to get access to the user credentials.
It's interesting to me that, you know, as you pointed out at the top of our conversation, with the vast majority of the traffic that you all are tracking here using TLS encryption,
it's the norm now. There's nothing exotic about it.
And so it's just an everyday part of doing business.
Exactly. So HTTPS is important. It does make it difficult,
like you said, for prying eyes who are trying to spy on your internet activity.
But again, that is also becoming a blind spot for many of the large enterprises because the
bad guys are also leveraging the same channel to serve malicious content.
Now, one of the other things that you point out in your research here is that the attackers
are taking advantage of people's trust in well-known brands.
Yes.
So that is a part where what they would do is, so first is they will clone a page
that looks very similar to one of the brands
that they're targeting.
So think of things like Office 365 login page.
And so if the bad guys are after
your corporate user credentials for Office 365,
they will spin up a page, put it behind TLS,
make that page look identical to the Office 365 login page, and they will try to phish your end users for their corporate credentials.
Let's talk about ransomware. How prevalent was that in what you were looking into here?
So ransomware attacks have been on the rise.
In fact, as per the report, we saw almost 500% increase since March of 2020 for ransomware
payloads that were being delivered over encrypted channel. Wow. And what are some of the variants?
Are there any that rise to the top? Are there any that are more prevalent than others?
So we saw several ransomware families, and I'll cover one of the trends
that is becoming increasingly popular on the ransomware families, especially this year.
And that is many of these families, in addition to encrypting the data on the endpoints, they've also started exfiltrating sensitive documents, sensitive information from the victim environment. has a good data backup hygiene and they are able to recover from a ransomware attack just
by restoring their data, they will still threaten them to leak the stolen information if the
organization doesn't pay the ransom.
So that's a trend that we're seeing in almost more than a dozen prevalent ransomware families.
It started with Maize in late 2019, but there are, like I said, more than a dozen ransomware families. It started with maize in late 2019, but there are, like I said,
more than a dozen ransomware families now that are leveraging that double extortion tactic.
Well, let's talk about prevention here. I mean, what are you recommending in terms of best
practices against some of these types of SSL threats? So one of the primary things to do
is to inspect all SSL traffic.
You can't block what you cannot see.
Unless you inspect SSL traffic,
you will be blind to all the payloads,
malicious scripts that are flowing underneath that.
So that's number one. Number two,
I would say you need to have a true zero trust network access architecture in place.
Essentially, especially now with every employee being remote, one infected laptop should not be
able to bring down your entire network, right? So having a zero trust network access
where the users are only allowed to access
the applications that they are authorized to,
and there is no network presence of any of your user laptops,
which essentially reduces the blast radius, right?
So one infected machine cannot infect the others
if they literally
don't have a network presence in your network. Our thanks to Deepan Desai from Zscaler for
joining us. You can find out more about their research on the Raiyak strain of ransomware on their website.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.