CyberWire Daily - TLS is here to stay. [Research Saturday]
Episode Date: March 14, 2020As websites and apps more widely adopt TLS (Transport Layer Security) and communicate over HTTPS connections, unencrypted traffic may draw even more attention, since it’s easier for analysts and sec...urity tools to identify malicious communication patterns in those plain HTTP sessions. Malware authors know this, and they’ve made it a priority to adopt TLS and thereby obfuscate the contents of malicious communication. Joining us on this week's Research Saturday is Chester Wisniewski from SophosLabs discussing their research on the subject. The research can be found here: Nearly a quarter of malware now communicates using TLS Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
It's one of these, like, well-known secrets, if you will.
If you talk to anybody in the business that researches malware,
we've all seen bots that communicate back to their command and control using encryption.
That's Chester Wisniewski.
He's a principal research scientist at Sophos Labs.
The research we're discussing today is titled Nearly a Quarter of Malware Now Communicates
Using TLS. We've seen stolen certificates. We've seen, you know, malware that's signed with
certificates. We've seen all this stuff, but nobody had really quantified it. And so we thought, well,
we all anecdotally know it's a problem, but how big of a problem is it? And, you know,
maybe we should take a look with, you know, all the data we have in our labs.
Well, the research that you published here starts off with a really nice overview of some of
the basics here. I'd love to go through that together because I know there are a lot of people
who might be a little fuzzy on some of this stuff. Can you take us through some of the backstory here
when it comes to TLS and sort of the foundational elements of that? Oh, sure. I mean, of course, TLS,
we're using the correct modern terminology,
but I think a lot of people still think of TLS
as being the good old SSL
that represented their padlock
on Netscape Navigator back in the 1990s.
So the current terminology is TLS.
SSL is now discontinued.
And, you know, it's public-private-key cryptography
that's used to protect most of what we do via email and the web these days on the internet. Actually, I think that
might be an interesting side project to look at how much email is currently being transmitted
using TLS for the good stuff to be protected. But I think Google may have done some research on that.
But, you know, the idea here is, of course, to provide encryption while in transit, right?
So this is different than the kind of encryption you might use to protect a file on disk or protect the SSD in your laptop in case it gets stolen.
This encryption is just while things are being transmitted from typically a web server to a client.
And we're just seeing that the criminals are starting to adopt this for their own transport to protect their communications.
And I suppose there are starting to adopt this for their own transport to protect their communications.
And I suppose there are two sides to this story.
The good part is that this data is encrypted, but that can make things harder to examine as well.
Yeah, ironically, if your information is being stolen by criminals,
at least only one criminal will be able to see the information that they're stealing from you,
unlike if they do it unencrypted and you're on a Wi-Fi at the Starbucks or something. But obviously, the challenge really for enterprises or even home users, for that matter,
is you need to build a man in the middle of that traffic in order to inspect it to find out whether it's malicious or not.
And I think most people in their minds connect privacy and security as being compatible or together.
And this is one of those cases where
they're actually incompatible, right? I have to actually break into that secure connection to
look at the content to know whether it's safe for you to consume that content. Yet by doing so,
in a way, I'm affecting your privacy. And at the enterprise level, there are tools available to do
just that. Absolutely. Most modern firewalls have the ability to, you know, man in the middle
that traffic. In essence, they decrypt the traffic before it goes out to the criminals, take a look
at what's inside of it, and if it's okay, let it pass with a new encrypted connection to the
criminal or to whatever, obviously, hopefully not the criminals. Maybe it's you going to log into
your Twitter or your Facebook or your bank. But I think one of the adoption challenges for enterprises has been to do that because you're going to get into this protected
connection. You have to deploy certificates. You have to deploy a private certificate authority
certificate to all of the computers that are behind that firewall. And doing that in a large
environment is quite a cumbersome activity. And the availability of those certificates, I mean,
that's not a difficult thing to do these days. Yeah, you actually make a certificate on your
own. You don't need to actually purchase one. In fact, you can't purchase one. The companies like
VeriSign are not allowed to issue one that everybody in the world would trust. So you
actually make an untrusted one of your own, and then you tell all your computers to trust it. And
it's telling all the computers to trust it that's the challenging part. Now, one of the things that
you track here in your publication is this shift that you've seen with more functions from the
malware being orchestrated on the command and control server side. Can you give us some insights
there? Yeah, the initial infection is often called a
downloader, or even you can think of it as maybe a little bit of a stub, meaning the malware that
comes down to your computer doesn't even know what it's going to do until the criminals kind
of know who's been infected, if you will. So the idea is they might want to turn you into a DDoS
bot. They might want to ransom you. Maybe they want to use you to send
some spam. They're not really sure until they determine who you are. Now, we don't really know
why necessarily criminals decide to use one malware one place or one malware in another.
But I did some research that I presented at RSA conference a couple of years back
that talked about this. And we had found that things like maybe you've got a banking Trojan
that's targeting a German bank. Well, you probably don't want to install that on machines
in Singapore. You probably only want to install it on computers in Germany. So that's in essence
what's happening is like you get infected with a little piece of code that just calls home and
goes, what do I do? And then the malware controller decides, OK, I want you to load up this banking
Trojan. I want you to load up this ransom code. And so is the notion here that the less traffic that's being sent back and forth,
the more under the radar these actors can stay?
Well, the less traffic that's out there, that certainly is the case. In this case,
I don't think they're doing it for stealth reasons. I think they're doing it to maximize
their profit. You know, the malware ecosystem has broken down into a lot of specialization
over the last 15 years. And because of that specialization, there's people that specialize just in infecting
people's computers initially and then seem to sell them on to other criminals to do criminal
activity that's more specialized and focused like, you know, banking malware and ransomware
as examples. And many of your listeners may have heard of Emetet, which has probably been the
biggest email malware threat we've seen in the last couple of years. And Emitat is one of those.
Once you get infected with Emitat, it might then install TrickBot or it might install Drydex. It's
going to install something based on some other criminal paying them for your head. And they may
pay them based on your geographic location. They may pay them based on maybe you're on a Mac instead
of a PC and they need to deploy different malware. Those types of things happen in these
attacks so that the criminal sense can sort of maximize the profit per victim.
Well, the research that you've published here, you go through some of the recent malware campaigns
and sort of break down and track who's using TLS here. Share with us what you found.
We took a handful of families
that we thought were representative
because it's obviously with the quantity of malware
we deal with in the lab,
it's impossible for us to go through every sample
and get an exact number.
So we thought we would take a couple of these sample families
and go through them and analyze them.
So we took ones that are known info stealers
and just other ones that are just common Trojans that we see.
So we looked at IcedID, we looked at Drydex, We took ones that are known InfoStealers and just other ones that are just common Trojans that we see.
So we looked at IcedID, we looked at Drydex, and we looked at TrickBot. And those are three very common malware families that we're seeing in the wild right now.
And then we analyzed six months' worth of their samples in our dataset to see how frequently they were using TLS.
Well, let's go through them one at a time together.
Why don't we start with TrickBot?
Right. So TrickBot, you know, most commonly right now,
I think the way people are seeing it pop up on their computers
is when it deploys a secondary payload again,
like we were just talking about.
So TrickBot itself is an information stealer.
And that, you know, is not necessarily limited to what it can steal.
I mean, it can steal information from your browser or maybe, you know, maybe looking to steal information for your
browser that's related to banking. One of its other characteristics that we've seen is it also
can deploy ransomware for other crooks. So it's sort of like taking two bites of the apple when
it gets you as a victim. And so obviously what we were curious about is, you know, does it use encryption? And of
course it does occasionally use encryption. And what's kind of interesting about it, the criminals
are quite smart rather than having to implement their own encryption. Let's say they actually use
the built-in crypto API inside of windows to do their encryption. So I guess that started to ensure
that they don't screw up the encryption. they're relying on on someone else's expertise of uh of cryptography there yeah yeah exactly and
you know like i said they're kind of part of this malware supply chain with trick bot we often see
the the victim initially gets hit with emitat which is one of these ones that comes in via
email that says you know you have an invoice or DHL has a package waiting or, you know, these types of messages. And then TrickBot is probably paying the Amatek group to install their malware.
And then after TrickBot's on there, occasionally we'll see TrickBot then install some ransomware
as well. Well, let's take a look at IcedID. What did you see here? Yeah, so the IcedID one,
you see here? Yeah, so the ICED-ID one, you know, they also, none of them always use TLS, but in this case, they did use TLS. It was kind of interesting to us that they were using the RC4
cipher. So RC4 is a very old cipher, and it's not terribly difficult to break depending on how it's
implemented. And that was interesting to see. And it does have
the ability to send stuff unencrypted. Some of the, you know, a lot of these seem to be able to
do both encrypted and unencrypted information transmission. And that's not, you know, it's not
clear what the purpose of that is in case maybe they're in some environments where they can't
make an encrypted connection back, or it might just be a fallback mechanism. You know, we talked
about certificates a minute ago. You know, there's been many a famous website to forget to renew a
certificate i think even i want to say microsoft had an incident a couple months ago where they
forgot to renew a certificate so it's possible the criminals are like well maybe we what if we forget
to renew our certificate for you know we don't want to stop getting stolen data so you know maybe
it's a fallback mechanism i'm not really why, if you bother to go through the trouble of implementing cryptographic APIs, why you would have unencrypted
capability. But a lot of them seem to have both and only occasionally use the encryption.
Oh, interesting. Interesting. And then the last one that you analyze here is,
I suppose, an oldie but a goodie, and that's Drydex.
Yeah. Drydex is another one that
these days most often gets onto your computer through the Emetet botnet. It is old, as you say.
I think, you know, we first saw Drydex back in 2011, and so it's gotten around a bit. And that's
another reason I think we see some of this variability where we go, hey, it looks like
Drydex uses TLS, but we also have
Dridex samples that don't use TLS. And like ICED-ID, it's also using the old RC4 encryption.
The variability in that, I think, is partly related to how old some of these malware families
are, right? There's different people that have copied it and reused it. And maybe some of the
old ones don't have this secure capability while newer copies of the
malware do have the secure capability. And so that's why we only see a portion of the traffic
using encryption. What are you tracking in terms of trending here? Are we seeing more and more of
the use of TLS when it comes to these folks? Well, being that this is one of the few reports that have been out there, and it's the first
report we've published from samples at Sophos Labs, which means we have nothing to compare it to.
It's all anecdotal. Certainly, anecdotally, it seems like we're seeing increasing use,
especially amongst things that are stealing information. We know that a lot of companies
are very carefully looking at data that's exfiltrated through their firewalls to try to remain compliant with regulations like GDPR.
And now, of course, in the USA, we have CCPA.
So that means companies have a better chance of noticing those credit cards being stolen or those passwords being stolen or, you know, that kind of thing.
So it's possible the criminals are using this for information stealers sort of as the vanguard of the whole thing.
And in our research, we saw that 44% of information stealers are using encryption.
And that is a higher percentage than we see amongst the malware community as a whole,
which is about 23%. So it's almost twice as likely that an information stealer is going
to use encryption than a regular good old-fashioned bot. So that's
probably indicative of the criminals trying to bypass corporate policies. So what sort of
recommendations do you have for people out there to contend with this stuff? Well, I think, you know,
for everyday users at home, there's little that can be done other than, you know, to run good
quality endpoint protection on their computers that hopefully keeps track of a lot of these command and control servers and can block access to them. I mean, some of them do some TLS
interception as well. So consumers would have to kind of survey the market a bit for that.
But on the enterprise side, I think it's clear that we need to be inspecting encrypted traffic
traversing our firewalls. And if you haven't taken on that project yet, you need to take it on. You know, there's different products out there that work
differently depending on what brand of firewall or next generation UTM or firewall that you have
on your network. But most of them have this capability. And if you're using one that doesn't,
it's probably time to shop around because this is going to become increasingly important.
That's Chester Wisniewski from Sophos Labs. The research is titled Nearly a
Quarter of Malware Now Communicates Using TLS. We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.