Research Saturday 12.5.20
Ep 162 | 12.5.20

SSL-based threats remain prevalent and are becoming increasingly sophisticated.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Deepen Desai: So, the report that we pushed out is specifically focused on encrypted attacks, and these are attacks that leverage SSL/TLS connection to basically hide from legacy security controls that are not able to open those TLS connections.

Dave Bittner: That's Deepen Desai. He's CISO and VP of Security Research and Operations at Zscaler. He shares the research he and his team have been conducting on ransomware, specifically the Ryuk strain.

Dave Bittner: Well, for folks who might not be familiar with some of the terms there, can you give us a little bit of the background? What are we talking about here?

Deepen Desai: So, SSL/TLS is basically transport layer secure protocol that allows you to encrypt the data that flows between the client and the server. And the easiest way you can spot that is by looking for the "https" in the URL, and there should be a padlock sign appearing on the left as well. That kind of indicates that the connection that you're making to the destination is over TLS.

Dave Bittner: I see. Well, let's go through the report together. I mean, what were some of the key findings that you had?

Deepen Desai: So, one of the key findings is we looked at all the traffic that flows through Zscaler Cloud, and over eighty percent of all Internet-bound traffic is now encrypted. That means that all of these traffic is leveraging HTTPS. And one of the alarming numbers that we saw was 6.6 billion threats were blocked in the first nine months of 2020, and these were threats that were being delivered over HTTPS.

Dave Bittner: Hmm.

Deepen Desai: So, if you don't open those TLS connections, then you're – and the right term is, if you don't perform SSL inspection, you will basically be blind to any of those bad payloads, malicious scripts that are flowing in those HTTPS connections. So, the fact that a lot of the Zscaler customers are opening those TLS connections and allowing us to inspect the payloads and traffic meant we were able to identify and block 6.6 billion threats over encrypted channels.

Dave Bittner: Wow. Well, can you give us a little bit of insight here as to how exactly that happens? Because I think we all – we understand that the point of encrypted traffic is to keep out prying eyes. So how do you have encrypted traffic but also have the ability to inspect it?

Deepen Desai: So the way it works is you need a proxy-based architecture where you terminate the connection at the proxy, and then the proxy makes a connection on your behalf to the destination. And the standard TLS certificate handshake and all of that will happen between the client and the proxy and the proxy and the destination. This will allow us to basically inspect all the payloads as well as the content that's flowing through the HTTPS.

Dave Bittner: Hmm. Well, let's dig in and talk about some of the things that you detected. What sort of payloads are prominent here?

Deepen Desai: So, what we saw was the bad actors were leveraging the encrypted channels throughout the attack cycle. So, starting with things like phishing attacks, where the goal is to steal credentials or to lure the user into clicking or downloading something and compromising their systems. The second stage where you know, there is an exploit taking place, where the bad actors are trying to exploit a vulnerability on the user system. So delivery of those exploit payloads were also found to be happening over encrypted channels.

Deepen Desai: We also noticed malware payloads being hosted on popular cloud storage service providers like AWS, Google, Dropbox, Box, in order to, again, get past legacy security controls that are not inspecting SSL traffic. And then finally, once the infection happens, we also noticed several malware families that were leveraging the encrypted channel to perform C&C – command-and-control activity. And this is also used to exfiltrated data from the compromised systems.

Dave Bittner: Now, who are they targeting here? What sort of organizations are being hit the most?

Deepen Desai: Great question. So, we did look at the industry verticals and that was one of the key findings as well. Like, 1.6 billion encrypted threats were targeting healthcare, right? And we were all thinking that because of the pandemic situation, healthcare will not be targeted as much. But again, that was the number one target. In fact, the healthcare portion represented, I believe, twenty-six percent of overall encrypted attacks that were seen in the first nine months of 2020.

Deepen Desai: I would say the top three brands that we saw, number one was Microsoft, where all the web properties like Offices 365, SharePoint, OneDrive were being targeted in the phishing attacks. We also saw several instances of tech support scams where the bad guys will show a pop-up to the victim saying that their machine is infected or it has a problem and they need to pay Microsoft tech support, which is obviously a scam, in order to repair the error. And then the third brand that we saw was PayPal. So, it's spread across both corporate services as well as consumer-side services. And the goal is to get access to the user credentials.

Dave Bittner: It's interesting to me that, as you pointed out at the top of our conversation, with the vast majority of the traffic that you all are tracking here, you know, using SSL or TSL – I'm sorry, TLS encryption, I mean, it's the norm now. There's nothing exotic about it. And so it's just an everyday part of doing business.

Deepen Desai: Exactly. So HTTPS is important. It does make it difficult, like you said, for prying eyes who are trying to spy on your Internet activity. But again, that is also becoming a blind spot for many of the large enterprises because the bad guys are also leveraging the same channel to serve malicious content.

Dave Bittner: Now, one of the other things that you point out in your research here is that the attackers are taking advantage of people's trust in well-known brands.

Deepen Desai: Yes. So, that is a part where what they would do is – so, first, they will clone a page that looks very similar to one of the brands that they're targeting. So think of things like Office 365 login page. And so if the bad guys are after your corporate user credentials for Office 365, they will spin up a page, put it behind TLS, make that page look identical to the Office 365 login page and they will try to phish your end users for their corporate credentials.

Dave Bittner: Let's talk about ransomware. How prevalent was that in what you were looking into here?

Deepen Desai: So, ransomware attacks have been on the rise. In fact, as per the report, we saw almost 500 percent increase since March of 2020 for ransomware payloads that were being delivered over encrypted channels.

Dave Bittner: Wow. And what are some of the variants? Are there any that rise to the top? Are there any that are more prevalent than others?

Deepen Desai: So we saw several ransomware families – and I'll cover one of the trends that is becoming increasingly popular on the ransomware families, especially this year. And that is many of these families, in addition to encrypting the data on the endpoints, they've also started exfiltrating sensitive documents, sensitive information from the victim environment. And the reason they do this is even if the organization has a good data backup hygiene and they are able to recover from ransomware attack just by restoring their data, they will still threaten them to leak the stolen information if the organization doesn't pay the ransom. So that's a trend that we're seeing in almost more than a dozen prevalent ransomware families. It started with Maze in late 2019, but there are, like I said, more than a dozen ransomware families now that are leveraging that double extortion tactic.

Dave Bittner: Well, let's talk about prevention here. I mean, what are you recommending in terms of best practices against some of these types of SSL threats?

Deepen Desai: So, one of the primary things to do is to inspect all SSL traffic, right? That's – I mean, you can't block what you cannot see. Unless you inspect SSL traffic, you will be blind to all the payloads, malicious scripts that are flowing underneath that. So that's number one.

Deepen Desai: Number two, I would say you need to have a true zero-trust network access architecture in place, essentially, especially now with every employee being remote, one infected laptop should not be able to bring down your entire network. So, having a zero-trust network access where the users are only allowed to access the applications that they are authorized to, and there is no network presence of any of your user laptops, which essentially reduces the blast radius, right? So, one infected machine cannot infect the others if they literally don't have a network presence in your network.

Dave Bittner: Our thanks to Deepen Desai from Zscaler for joining us. You can find out more about their research on the Ryuk strain of ransomware on their website.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.