According to a Sophos report, released this week there is a dramatic year-over-year increase in the use of the Transport Layer Security (TLS) cryptographic protocol. And TLS is a top tool used to secure web communications and application data. But it’s also being widely used now to allow malware operators to avoid detection.
HTTPS can help prevent wiretapping, man-in-the-middle attacks, and the cloning of trusted websites. But it also provides cover for cybercriminals to discretely share information from a website and a server hide-in-plain-sight from malware hunters.
“It should come as no surprise, then, that malware operators have also been adopting TLS … to prevent defenders from detecting and stopping the deployment of malware and theft of data,” Sophos said.
Transport Layer Security (TLS) used more
According to Sophos, in February 2020 only 24% of malware had deployed with Transport Layer Security (TLS) for communications. But by 2021, the number has seen more than a 46% increase.
The majority of TLS utilization by malware is linked to the increased use of legitimate web and cloud services. TLS protection sometimes houses unsuspecting malware components. And it can be a disembarkation point for stolen data. Or even be used to transmit directions to botnets.
The report claims there is an unprecedented increase in TLS in ransomware attacks. And this is especially true in manually deployed ransomware attacks.
“We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware call-home” over a three-month period, 56 percent of the unique C2 servers (identified by DNS hostnames) that communicated with malware used HTTPS and TLS. And of that, nearly a quarter is with infrastructure residing in Google’s cloud environment.“
Bad Traffic Looks Good
Sean Gallagher of SophosLabs completed a survey, with data gathered internally. The report is entitled “Nearly half of malware now use TLS to conceal communications.”
Gallagher reveals that TLS, allows cybercriminals to hide-in-plain-sight, by making their bad traffic appear the same as good traffic.
The report emphasizes that “Malware communications typically fall into three categories: downloading additional malware, exfiltration of stolen data, and retrieval or sending of instructions to trigger specific functions (command and control).”
“ All these types of communications can take advantage of TLS encryption to evade detection by defenders. But the majority of TLS traffic we found tied to malware was of the first kind: droppers, loaders and other malware downloading additional malware to the system they infected, using TLS to evade basic payload inspection.”