Nearly half of all malware is concealed in TLS-encrypted communications

Threat actors have sharply ramped up use of the Transport Layer Security (TLS) cryptographic protocol to hide malware communications — creating new challenges for enterprise security teams in the process.

A Sophos analysis of malware samples observed during the first three months of 2021 showed that 46%–or nearly half—of all malware that communicated with a remote system over the Internet used TLS for that purpose. This represents a 100% increase from 2020, when 23% of malware tools used TLS.

A major reason for the increase is the growing practice among cybercriminals to use legitimate TLS-protected cloud and Web services such as Google cloud services, Pastebin, Discord, and Github for hosting malware or storing stolen data, and for their command and communication operations. Also contributing to the growth is the increased use by attackers of Tor and other TLS-based network proxies to encrypt communications between malware and the threat actors behind them, Sophos said.

“The main takeaways are that there is no such thing as a ‘safe’ domain or service when screening for malware, and that more traditional firewall defenses based on reputation scanning without deep packet inspection cannot protect systems,” says Sean Gallagher, senior threat researcher at Sophos.

The Sophos report is the latest to highlight the double-edged nature of mushrooming encryption use on the Internet. Over the past few years, privacy advocates, security experts, browser makers, and others have pushed for broad adoption of cryptographic protocols to protect Internet communications from spying and surveillance.

The efforts have resulted in the HTTPS protocol, which uses TLS, almost completely replacing the older HTTP protocol. According to Google—one of the most influential proponents of HTTPS—92% of the traffic that hits its online properties in the US uses TLS. The percentage is higher in other countries. In Belgium and India, for instance, 98% of the traffic to Google sites is encrypted; in Japan and Brazil, the number is 96%, and in Germany, 94%.

While the increased use of HTTPS and TLS overall—in email systems, VPNs, and other areas—has enabled greater privacy and security, it has also given attackers a way to use the same technology to hide their malware and malware communications from conventional detection mechanisms.

“There’s nothing we can build that the bad guys can’t use,” says Internet pioneer Paul Vixie, the chairman, CEO, and co-founder of Farsight Security.

To read the complete article, visit Dark Reading.