SHARED INTEL: Report details how cyber criminals leverage HTTPS TLS to hide malware

By Byron V. Acohido

Google was absolutely right to initiate a big public push a couple of years ago to make HTTPS Transport Layer Security (TLS) a de facto standard.

Related: Malicious activity plagues the cloud services

At the time, in the spring of 2018, only 25 percent of commercial websites used HTTPS; today adoption is at 98 percent and rising. Far beyond just protecting websites, TLS has proven to be a linchpin of network-level communications across the board.

Guess who else has been leveraging TLS? Threat actors quickly figured out how to adapt TLS to their purposes. An intelligence report released today by Sophos illustrates just how widely TLS has come to be used by cyber criminals to hide their malicious activity.

From January through March 2021, TLS concealed 45 percent of the malware Sophos analysts observed circulating on the Internet; that’s double the rate – 23 percent – seen in early 2020, Dan Schiappa, Sophos’ chief product officer, told me in a briefing. TLS, he says, is increasingly being used to cloak a wide array of the operational steps behind the most damaging attacks of the moment, namely ransomware attacks and massive data breaches.

This surge in TLS abuse has shifted the security community’s focus back to a venerable network security tool, the firewall. At a time when many companies are seeking digital agility above all else, the need for a robust firewall to keep an eagle eye on the data streaming in and out of a company’s network, however cleverly it has been assembled, has never been greater.

“For all the good TLS has done, it has also made it much easier for attackers to download and install malicious modules and exfiltrate stolen data,” Schiappa says. “Attackers are taking advantage of TLS-protected web and cloud services, for malware delivery and for command-and-control, right under the noses of IT security teams and most security technologies.”

For a full drill down on my discussion with Schiappa, please give the accompanying podcast a listen. Here are the key takeaways:

Surprise packages

TLS is a component of the Public Key Infrastructure, or PKI, the system used to encrypt data, as well as to authenticate individual users and the web servers they log onto. TLS enables companies to authenticate both ends of all connections made between a user and machine, and from machine to machine, while also encrypting the data transiting between two points.

In short, TLS helps preserve the integrity of legitimate digital connections. It turns out that TLS is also the perfect mechanism to distribute surprise packages. Hacking rings are using TLS to evade detection while delivering botnet commands, embedding malware and exfiltrating data. In the first quarter of 2021, the majority malicious TLS traffic detected by Sophos carried initial-compromise malware such as loaders, droppers and document-based installers like BazarLoader, GoDrop and ZLoader.

On the front end of attacks, TLS helps the attackers obfuscate their malware as it is being moved into position and embedded. And on the back end, it allows them to cloak any data as it is getting exfiltrated.

Most of the firewall, intrusion detection and data loss prevention systems installed over the past 20 years can’t make heads or tails of the malware-laden TLS-encrypted traffic streaming through the systems they monitor, Schiappa says, and threat actors are taking full advantage.


“What we’re seeing is a more hands-on, adversarial type of approach,” Schiappa says. “Attackers are using nation-state tactics to find a way into an organization and locate the most valuable data. And then they may use off-the-shelf malware to carry out their attack. They’ll use encrypted traffic for any communications back to a command-and-control center or among other attackers in their group.”

Decryption bottleneck

Can anything blunt the trajectory of TLS abuse? Since this exposure manifests anywhere data streams into a company’s IT systems, the answer has to involve a firewall. The essence of a firewall is that it inspects packets of data for anything that looks amiss. These are the data packets arriving at a trusted destination, i.e. the firewall’s home network, from an untrusted source, i.e. the public Internet.

How TLS works is that there is an encryption point and a decryption point. The former is distributed far and wide: any server, PC, smartphone or IoT sensor can initiate an encrypted data stream.

At the receiving end, a firewall has to decrypt the data and inspect the packets arriving from each one of these initiators.

Twenty years ago, this core task wasn’t too difficult because a firewall only had to protect a strictly-defined, on-premises data center. In today’s digitally transformed world of pay-as-you-go cloud infrastructure and geographically-dispersed software development decryption and deep packet inspection have become daunting challenges.

It is resource intensive, to say the least, to have to decrypt all of the data streaming in from a vast array of initiation points, and then additionally have to inspect a rising tide of packets, Schiappa noted. Most network firewalls installed prior to wide adoption of TLS simply aren’t architected to efficiently handle the added burden.

Sophos is in the vanguard of cybersecurity vendors innovating solutions to this decryption bottleneck. Its new XGS Series firewall, for instance, features an advanced silicon chip designed for high-scale decryption; and the supporting XGS software can carry out a form of triage to decide which data streams should go to the front of the line for deep packet inspections

“We’re able to scale up performance, from a resources perspective and from the number of connections perspective,” Schiappa told me. “And then we can apply really, really deep security focus in the areas that need attention.”

It’s clear, in today’s environment, that all organizations must make an effort to mitigate the risk of being crippled by a ransomware hack or disrupted by a massive data breach. A souped-up firewall that can flush out TLS-hidden attacks is starting to look like table stakes. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone