After years of warnings about security, surveillance, and unwanted state intrusion, one group of internet-connected folk has taken heed: malware operators.
Just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security (TLS) to encrypt both its command-and-control traffic and data exfiltration.
Formerly SSL in an earlier life, TLS is the cryptographic protocol that underpins, among other things, HTTPS web connections Briefly, it hides the contents of web traffic from external inspection, whether by government agencies or fed-up techies trying to tell the difference between a shadow IT file transfer and an in-progress ransomware attack.The abuse of TLS by malicious people means life is becoming harder for defenders.
A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS – such as Discord, Pastebin, GitHub and Google’s cloud services – as repositories for malware components.
Around 80 per cent of traffic seen by Sophos in Q1 2021 could be linked to droppers, a subset of malware that gains a foothold on a target system before installing (or dropping) a further payload, the firm said.
Google’s various cloud services accounted for 9 per cent of tainted TLS requests, with chat-for-gamers service Discord finding itself featured prominently thanks to criminals’ abuse of its Cloudflare-hosted CDN to spread their malicious wares. “nearly half of all malware TLS communications went to servers in the United States and India.”
The finding that criminals are using encryption to help malware evade detection is certainly not new; Sonicwall, picked up on encrypted non-standard port traffic back in 2019.In a similar vein, Kaspersky warned of a malware strain capable of decrypting TLS traffic which it labelled Reductor. That malware came from the Russian state-backed Turla hacking crew.