In the first half of 2017, an average of 60 percent of transactions observed by security company Zscaler have been over SSL/TLS, the company’s researchers said. The growth in SSL/TLS usage includes both legitimate and malicious activities, as criminals rely on valid SSL certificates to distribute their content. Researchers saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain.
Zscaler said blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. Of those blocked, an average of 600,000 per day were advanced threats. Zscaler researchers have seen 12,000 phishing attempts delivered over SSL/TLS per day in the first half of 2017, a 400 percent increase from 2016.
The research data did not include adware campaigns using SSL/TLS to deliver their payloads.
Malware families are increasingly using SSL to encrypt the communications between the compromised endpoint and the command-and-control systems to hide instructions, payloads, and other pieces of information being sent so that it becomes difficult for the IT administrators to be able to tell the difference between bad and good traffic. The number of payloads being sent over encrypted connections doubled in the first six months of 2017 compared to all of 2016, said Zscaler researcher, Desai.
About 60 percent of malicious payloads using SSL/TLS for command and control (C&C) activity came from banking Trojan families such as Zbot, Vawtrak and Trickbot, Zscaler said. Another 12 percent were info stealer Trojan families such as Fareit and Papra. A quarter of the payloads came from ransomware families.
It looks like companies have to give a thought beyond encryption and think about SSL inspection which can be provided by a cloud-based platform, such as what Zscaler offers, or by appliances that are deployed inline, such as those offered by Microsoft, Arbor Networks and Check Point (to name a few).