Cybercriminals increasingly using SSL certificates to spread malware

Enterprises that don't perform adequate SSL inspections are now at a much higher risk to be breached or attacked, according to a Menlo Security report.

SSL partly responsible for dramatic Q1 2018 increase in malware and ransomware
54:43:20

Despite almost 52% of the top one million websites having "https" rather than the traditional "http" in their URL, Menlo Security released a report on Tuesday with data indicating enterprises that don't perform adequate SSL inspections are now at a much higher risk to be breached or attacked.

Recent studies have shown that cybercriminals building phishing sites now use SSL as well, complicating efforts by enterprises to keep their employees safe. The Menlo Security research revealed that while 96.7% of all user-initiated web visits are being served over https, only 57.7% of the URL links in emails turn out to be https, which means that web proxies or firewall will be oblivious to the threats unless enterprises turn on SSL inspection.

"If you think the little green lock of https equals security, think again," the report said. "The bad news is that the bad guys use encryption, too. Many people mistakenly assume that as long as an SSL certificate is present, they're safe from attack, but that couldn't be further from the truth. From Reductor to Godlua and numerous other variants, it has become all too clear that new types of malware are being secreted behind a symbol that was once seen as secure."

According to the report, enterprises have long relied on on-premises proxies and next-generation firewalls for visibility and control of web access. But when it comes to decrypting and inspecting SSL sessions, the report said, "many enterprises have held back partly driven out of privacy issues and partly around performance of these proxies with SSL decryption turned on. It's not uncommon for the overall throughput of these devices to drop by a factor of five or more when SSL decryption is turned on."

SEE: Tips for choosing the best VPN for your needs (free PDF) (TechRepublic) 

The switch over to https from http is due in no small part to Google, which started putting https websites higher in their rankings as a way to promote safer sites in 2014. Dozens of browsers now do similar things in terms of promoting https links over http ones, but in recent years this practice has been abused thanks to widely available tools for website builders to encrypt their sites. 

Of the threats on https websites, 47.1% are running vulnerable server software and 41.5% are listed as an uncategorized site 66.8% of the non-browser traffic is over SSL and, of the known threats, 90.6% of the machine-generated https sessions are to uncategorized websites, the report notes.

In an interview, Menlo Security's chief technology officer, Kowsik Guruswamy, explained that  SSL decryption is usually done by on-premises appliances and what his company has found is that many enterprises have two primary reasons for not turning on SSL decryption. 

The first is privacy because most companies are wary of looking into what links their employees are clicking on. But for companies in regulated industries, it has become a requirement to decrypt and look at everything. The downside is that when these enterprises turn on SSL decryption on the hardware appliances, their performance drops by a factor of five, If not more. 

"They're caught in this rock and a hard place. On one hand, the regulations dictate that they must have this ability, especially for incidents. They need evidence. On the other hand, they need a lot more appliances from these vendors to do that. In our own cloud, we're seeing 95%, or above of the traffic being served over SSL. Both good and bad," Guruswamy said. 

"For user-initiated traffic on cloud, 97% of the websites are being served over https. The significance for the enterprise is that if they don't do SSL inspection, the users are not being protected at all."

Things have changed dramatically in the last few months as almost everyone has moved out of office workspaces. Before the coronavirus pandemic, most employees would VPN back into the corporate offices regardless of if they're working from a branch office. From there, all of the traffic would be subjected to whatever inspections are on the security stack in the corporate headquarters. 

But now, Guruswamy said, Menlo's customers, which include many of the world's biggest banks and credit card companies, are telling them that their VPN infrastructure is straining because  they only planned for 1%-5% of their employees to work remotely. 

"But that's completely flipped over now. Because of the VPN getting overwhelmed, more and more companies are basically saying, 'Look you can't watch YouTube or watch the news when connected through the VPN, you have to go direct.' So once people start going direct, then they've got no protection whatsoever and company also loses visibility of the traffic in terms of SSL or not," Guruswamy added. 

"What we're finding is that about 47% of the https websites are actually running really old, vulnerable software based on the versions that are reported. And when we cross collate that with the CVE numbers and all the known vulnerabilities on our stack, there's all these old versions of Wordpress that are running that are vulnerable but they're being sold over SSL. That's a problem."

In Menlo's report, the company found that most emails contain 30-40 links and many people generally only click on one. More than 90% of the links people click on are https, meaning that there is little protection from phishing links. 

These days, Guruswamy noted that most of the traffic, both good and bad, is over https including phishing sites, malware sites, park domains, as well as command and control sites that are essentially infected endpoints calling out into the internet.

"At some point, you're going to have to look at it because everything, good or bad, is coming over SS," Guruswamy said. "If you're not decrypting, you're in big trouble. You basically have no way of what's coming into or leaving your network.  You are driving blind." 

Also see

Internet browser window showing lock icon during SSL connection

Marc Bruxelle, Getty Images/iStockphoto