Mumbai: According to Sophos’ new research, “nearly half of malware now use TLS to conceal Communications.” The search identifies that cybercriminals increasingly using TLS in their attacks as a popular tactic to encrypt and encapsulate the content of malicious communications to avoid detection as they carry out attacks.
“Transport Layer Security (TLS) has been one of the greatest contributors to the privacy and security of Internet communications over the past decade,” said Sean Gallagher – Senior Threat Researcher, Sophos.
“Over the past decade, and particularly in the wake of revelations about mass Internet surveillance, the use of TLS has grown to cover a majority of Internet communications. According to browser data from Google, the use of HTTPS has grown from just over 40 per cent of all web page visits in 2014 to 98 per cent in March of 2021,” added Gallagher.
Cybercriminals increasingly using TLS to avoid detection
“Malware operators have also been adopting TLS for essentially the same reasons: to prevent defenders from detecting and stopping the deployment of malware and theft of data. We’ve seen dramatic growth over the past year in malware using TLS to conceal its communications,” pointed out Gallagher.
In fact, 45% of malware detected by Sophos from January through March 2021 used TLS to conceal malicious communications. That’s a staggering rise from the 23% Sophos reported in early 2020. Sophos has also seen an increase in the use of TLS to carry out ransomware attacks in the past year, particularly with manually deployed ransomware.
The majority of malicious TLS traffic that Sophos has detected includes initial-compromise malware, such as loaders, droppers and document-based installers like BazarLoader, GoDrop and ZLoader.
“TLS has undoubtably changed the privacy of internet communications for the better, but for all the good it’s done, it’s also made it much easier for attackers to download and install malicious modules and exfiltrate stolen data – right under the noses of IT security teams and most security technologies,” said Dan Schiappa, Chief Product Officer – Sophos.
“Attackers are taking advantage of TLS-protected web and cloud services for malware delivery and for command and control. Their initial compromise malware is simply the advance guard for major attacks, as they’re setting up camp for the heavy artillery that follows, like ransomware,” added Schiappa.