Advanced Cyber Attacks Hidden in SSL Traffic

Customer information is at risk even if an enterprise claims that their servers are impenetrable. From Target to Sony, and Anthem to Ashley Madison, no company has been able to keep cyber attacks at bay and ended up loosing customer information. As it puts customer’s life at risk, organizations must think of ways to ensure how they can secure customer data even if parts of their servers are compromised. If companies want to secure their data, they must invest in network security solutions which are capable of reducing the risks.

Network security solutions can reduce the risk of attack, but these solutions face an unexpected adversary: SSL encryption,” suggests Glen Ogden, Regional Sales Director, Middle East at A10 Networks.

He further advises that SSL encryption improves privacy and integrity. SSL encryption also creates a blind spot in corporate defenses. According to an estimate, roughly half of all Internet traffic is encrypted, and this figure is expected to reach 67% by 2016.

Can SSL be exploited? If the experts are to be believed, SSL attacks can be exploited. “Attackers can exploit the SSL blind spot to sneak past security controls. Almost every network attack can be encrypted in HTTPS, FTPS, SMTPS and other SSL-enabled protocols,” said Vincent Steckler, CEO, Avast Software while we interacted with him last month on his visit to India. “No one can claim to be 100% safe these days. Edge lies in being prepared for dealing with all kinds of attacks,” further said Steckler.

Instead, most of the security companies claim that they look at how malware developers use encryption to evade detection and how their evasion techniques have become stealthier over time. The fact is that hackers are far ahead than any of us can imagine.

Security for Command and Control Communications

The Zeus banking Trojan is a type of malware that incorporate encryption. “Although Zeus is not new—it was first identified in 2007— it continues to be one of the most prevalent as well as dangerous Trojans around. Zeus has compromised roughly 4 million PCs as of December 2014,” said Glen Ogden, Regional Sales Director, Middle East at A10 Networks.

Unlike other malware, Zeus has outlived other types of financial malware since it is one of the most complex malware which is hard to detect and remove. Plus, the widespread availability of the Zeus attack toolkit has enabled countless criminal groups to develop variants that are even more sophisticated and sneaky.

As a case in point, the Gameover Zeus Trojan leverages encryption for both malware distribution and command and control (C&C) communications. For example, the Upatre downloader utility, which is often used to install Gameover, downloads the Gameover software over an SSL connection from a compromised web server. Once the Gameover software is installed, it uses peer-to-peer networks to communicate to C&C servers.

Command & Control Gets Social

In an effort to avoid detection, new malware uses social networks and web-based email for C&C communications. Security researchers and experts believe and have discovered that it receives C&C commands from malicious Twitter accounts and comments on Pinterest. Like most social networks, Twitter and Pinterest encrypt all communications. Therefore, organizations should inspect SSL traffic to detect botnet activity. Otherwise, IT security analysts might observe client machines accessing Twitter or Pinterest sites and assume the traffic is harmless. “Organizations need to endeavor to inspect SSL traffic on regular basis to detect botnet activity. In addition they should use all kinds of means to protect their networks,” suggested Sergy.

Beware of Malware Stealth

In an attempt to demonstrate how social malware has become, security researchers in Germany discovered a remote access Trojan (RAT) that gets C&C commands through online email accounts like Yahoo and Gmail. However, in an interesting twist, consultants at Shape Security found that at least one Icoscript strain receives C&C updates from Gmail draft messages. Much like disgraced General David Petraeus—who communicated with his mistress Paula Broadwell through Gmail draft messages—the malware attempted to evade detection by not quite sending emails.

Like most online email programs, Gmail, Outlook and Yahoo Mail encrypt traffic. Malware developers are clever enough to use encryption in order to take the advantage to evade detection. To detect malicious activity, organizations should decrypt and inspect traffic to email sites.

In conclusion, privacy concerns fueled by the Snowden effect have triggered a massive spike in SSL traffic over the past three years. Today, cybercriminals are hiding their attacks using SSL traffic to circumvent existing security controls. It is imperative that CIOs and IT managers in the Middle East familiarize themselves with solutions that uncover hidden threats in encrypted traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *