How encrypted malware helps attackers evade SSL detection
The secure sockets layer (SSL) protocol, designed to keep websites more secure, is being used by cybercriminals to conceal and launch encrypted malware attacks. Here's how encrypted malware evades SSL detection - and what you can do to ensure your business's users don't fall victim.
What is malware?
The concept of a computer virus may seem vague, especially with the emergence of so many different types of threats to your cybersecurity. The specific threat we're discussing in this article is known as malware, a piece of software that runs a malicious script or set of codes.
Hackers spread malware around the internet in many different ways. They are typically looking to either steal data, cause outages, or generally create chaos for businesses.
In the early days of the internet, most malware was targeted specifically at the Windows operating system. That's still partially true, although even mobile devices are increasingly susceptible to today's forms of malware.
Malware often begins as a phishing scam, where hackers send emails which include rogue links. If a user clicks on the link and allows the malware file to be downloaded to their device, it initiates the full attack.
Many businesses are targets of a form of malware called ransomware, in which the virus takes over a computer and demands payment in return for releasing control back to the owner.
How SSL encryption benefits your business
As customers surf the internet on a computer or mobile device, they'll typically look for a padlock icon to appear next to the URL address in their browser. Thanks to major public awareness campaigns made by Google and the GDPR, users generally understand that when the icon is present, the website uses a valid SSL certificate to encrypt data sent to it.
This is critical for any website that asks users to enter personal information such as a password or credit card number. Users should never send private data to a website unless an SSL certificate is present. Otherwise, if a hacker has compromised any of the equipment on the network, they will be able to intercept and read traffic.
From a business point of view, getting your web server set up with an SSL certificate is a painless process. Most web hosting plans include them. Some domain name registrars even offer a free Alpha SSL certificate upon registration of your domain.
Risk associated with encrypted malware
Unfortunately, the advantages that come with SSL encrypted traffic can also be used in nefarious ways.
Hackers have developed encrypted malware that bypasses common security blockers and invade corporate networks with the intention of stealing data or launching a full-scale ransomware attack.
Hackers now deploy stolen or forged SSL certificates on their own phishing websites so that when malware is transmitted into a corporate network it is fully encrypted. The only way to successfully block it is to adopt an intrusion detection system (IDS) that is capable of deep packet inspection, an advanced method of examining and managing network traffic.
When deep packet inspection is enabled, the network firewall forms the encryption binding with the desired website instead of the user's browser. That way, when data is transmitted back it can be fully scanned for malware before being passed to the proper user.
Additionally, some hackers are taking a different route by executing SSL stripping attacks instead. This involves switching a user's web request from HTTPS to HTTP without their knowledge, therefore creating an unsecure connection. Users not keeping an eye on the URL bar may not realise they've been redirected to an unexpected location.
Malware defence measures
As malware has evolved, so have the systems and tools designed to defend against this form of cybersecurity threat. Businesses need to perform a full risk analysis of their technology systems and come up with a top-level strategy for how to shrink attack surfaces and protect key data sources.
Choose a service provider who emphasises security:
- Only use an SSL provider who works with a trusted Certificate Authority, such as GlobalSign.
- Use DNS services which employ DNSSEC to confirm data.
- Choose a web hosting plan with strong security features like intrusion prevention, security advisor, firewall, or other tools which intercept the kind of SSL threats in question before they reach the end users.
Next Generation Firewall: One of the most common cybersecurity tools is a firewall, which monitors all incoming web traffic to an organisation's network and scans it for known threats. Modern firewalls incorporate artificial intelligence and machine learning technology to identify new forms of malware and raise alarms before an attack is executed.
VPN still a good idea: Though a virtual private network (VPN) does nothing to stop malware, it still comes highly recommended by security experts as a secondary encryption layer for your data. A VPN routes traffic through a proprietary network of servers to establish anonymity and encrypts the data flow for privacy. Typically priced at less than ten bucks monthly, the best VPNs should be part of any cybersecurity strategy.
SSL evading malware a serious threat
When it comes to the problem of malware using SSL to evade detection, though, keeping yourself and team members trained on best practices is critical.
You need to know what kind of threats to look out for and how to respond when an attack is executed. Taking proactive steps, like ensuring your business website is SSL enabled or DNSSEC protected, won't stop all threats but will mitigate your users' vulnerability.
Sam Bocetta is a freelance journalist specialising in U.S. diplomacy and national security, with emphasis on technology trends in cyber warfare, cyber defence, and cryptography.