Blue Coat researchers are warning companies and governments against malware hidden in SSL traffic.
The team’s recent research conducted around security blind spots created by encrypted traffic has revealed very helpful findings.
It validated how the use of SSL/TLS in malware is on the rise.
The malware is most prominent in ransomware and typically employs hidden C&C or command and control channels to execute malicious programs then proceeds with exfiltration of proprietary data.
Two key findings have been identified:
First, the approximate number of malware samples was at 500 per month prior to October 2015. On the months of October, November and December 2015, it reached an average of 29,000 samples.
Second, the number of C&C servers which use SSL was at 1,000 prior to and including Q1 2015. By Q3 2015, it made a big leap to 200,000 per quarter.
Clearly, there’s been a major increase in malware encryption.
Blue Coat Systems Inc. has since released an Encrypted Traffic Management appliance primarily designed to address the growing malware threat.
The SSL Visibility Appliance SV3800B-20 more than doubles the original SSL visibility offering capacity of the company which serves as a perfect tool for businesses.
The appliance model allows them to maintain compliance with corporate policies and privacy regulations as their network defenses are secured against the encrypted malware.
SSL-based Malware Increase
Analyzing the findings, researchers discovered an increase of 58 times in C&C SSL-cloaked traffic and 200 times in C&C servers utilizing SSL in 2015.
The spike indicates that malware families which have historically used SSL went through a dramatic surge in both distribution and usage.
Looking at the sharp spike’s time frame, the bursts coincided with the onset of the holidays.
This means that the bursts may be relative to one or more large-scale campaigns that have been launched with infrastructures based on such malware families.
Whether an escalating trend or short-term, the malware is an example of wide-scale SSL/TLS use as an obfuscation technique.
C&C Server Increase
An increase of 200 times in SSL C&C servers was uncovered in the research during certain periods last year.
It was relatively stable in the year 2014, then, surged to over 100,000 in Q2 2015, only to have a hundred thousand more added in Q3 2015.
By C&C server, the researcher mean any server that forms part of malware’s overall infrastructure, including coordination points, data exfiltration points, malware download sites, etc.
The whopping increase is indicative that SSL/TLS are bound to be used more and more to conceal attacks in the future.
Blue Coat attributes the spike in SSL/TLS encrypted traffic to the hastened use of cloud and mobile apps and services linked to growing concerns about personal privacy.
The huge growth in the use of encryption itself paves the way for cybercriminals to hide malware perfectly right inside the encrypted transactions.
The company adds that a majority of security infrastructure of enterprise stays blind to encrypted traffic while attacks exponentially become rampant.
Most IPS, data leakage prevention, malware sandboxing, and other different tools are unable to decrypt SSL/TLS and thus cannot analyze it further.
These findings significantly aid in explaining how threat actors can achieve the huge explosion in C&C server numbers which was timed earlier than the associated malware’s appearance.
SSL Visibility Appliance
Blue Coat’s SV3800B-2 model SSL Visibility Appliance more than doubles throughput with a capacity up from 4 to 9 Gbps and thereby addresses the SSL/TLS traffic-caused security blind spot.
Blue Coat Systems president and COO, Michael Fey, tells how the findings their researchers have presented reveal what’s long suspected by many.
That is, SSL traffic serving as a main malware as well as exfiltration channel is substantially escalating.
He further explains that these increasing threats bring certain knowledge on hand and shed light to many organizations.
By now, they would have realized that balance in proper SSL inspection and network performance is quite essential.
It’s not as easy as they thought and as network security providers have led them to believe.
Blue Coat aims to help customers fight security threats that are hidden within encrypted traffic through the recently released appliance model.
Fey adds that through dedicated SSL visibility provision, enterprises likewise preserve the priorities of customers such as network performance, privacy as well as regulatory compliance which organizations require nowadays.