Friday, June 14, 2024

Malware operators leverage TLS in 46% of detected communications

Must read

Urs Holzle, Senior Vice President of Technical Infrastructure at Google, talks about the Google Cloud Platform during a Google I / O Developers Conference in San Francisco, California. Much of the increase in TLS usage by malware operators is attributed to increased use of legitimate online and cloud services protected by TLS, including Discord, Pastebin, Github and Google’s cloud services. (Photo by Stephen Lam / Getty Images)

Researchers found that while Transport Layer Security (TLS) is growing and accounts for about 98% of all website visits, use of TLS among malware operators has grown from 23% of all malware discovered in 2020 to nearly 46% today.

In blog after Wednesday, Sophos researchers said malware developers also adopted TLS for essentially the same reasons as legitimate companies: Preventing defenders from detecting and stopping the deployment of malware and data theft.

Sophos has linked much of the growth in TLS usage by malware operators to increased use of legitimate TLS-protected online and cloud services, including Discord, Pastebin, Github and Google’s cloud services. These sites have become repositories for malware components, targets for stolen data and are known to send commands to bot networks and other malware. Sophos has also linked the use of TLS among malware operators to the increased use of Tor and other TLS-based network surrogates to encapsulate poor communications between malware and the threatening actors deploying the malicious code.

As network and data encryption has become commonplace to protect personal and business data, Charles Herring, co-founder and chief technology officer of WitFoo, said cybercriminals have increasingly adopted the same advances in encryption to protect their own privacy in attack.

“Cybersecurity analysts and investigators have had to adapt techniques to account for these confusing approaches by criminals,” Herring said. “Modern research requires understanding, confirming, and developing data from endpoints, agents, servers, network, and cloud data sources. SecOps, which has historically relied on in-depth network packet analysis to track attackers, needs to develop skills and tactics in other data domains to fill the gaps left. of ubiquitous encryption. “

Zach Jones, senior director of detection research at WhiteHat Security, said the development and growth of TLS was motivated by a clear recognition that TLS serves as a fundamental requirement to ensure delivery of applications.

“Setting up TLS for any application – including malware – has become very easy,” Jones said. “Therefore it is a simple way for malware authors to decrease the possibility that their commands and control communications will be marked as malicious.”


More articles

Latest article