"nearly half of all malware TLS communications went to servers in the United States and India." - This fact seems a bit commy!?!
Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services
After years of warnings about security, surveillance, and unwanted state intrusion, one group of internet-connected folk has taken heed: malware operators. British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security ( …
COMMENTS
-
-
Wednesday 21st April 2021 18:03 GMT Diogenes8080
Jolly Boating Weather
Possibly correct if your honeypot is in Chennai.
Elsewhere in the world, other nets are likely to figure. For botnets, Stiff's scurvy crew say CN 1st, IN 2nd and US 3rd: https://www.spamhaus.org/statistics/botnet-cc/
I am surprised the ratio of encrypted traffic is not higher. SSL is free, domains and hosting are cheap and no-one seems to think it is their problem if a fraudster tells lies when applying for any of these.
-
-
-
Wednesday 21st April 2021 17:58 GMT Throatwarbler Mangrove
Re: It had to happen
It would be a lot easier to detect nefarious traffic, however, if the traffic were not already encrypted.
We're moving to the point that deep-packet inspection at the edge of the consumer network is going to be a necessity. Basically, each home's router/firewall will also need to act as a Web proxy configured to decrypt and inspect all traffic passing through it to search for malware, as is currently common on enterprise networks. That should be a fun exercise.
-
Thursday 22nd April 2021 13:30 GMT Anonymous Coward
Decryption
TBH thats been the case for quite some time, its hardly a revelation from Sophos here.
Any serious intrusion has been using SSL traffic for C2 for a long old time.
The reasons are two fold:
1) its encrypted (like duh!)
2) Your network already chucks out so much SSL that they hide in the background noise
So you could always use something clever to decrypt and inspect at your edge - assuming that in 2021 you actually still have a physical edge now your workforce is working from home.
Assuming you have a physical edge, all you need to do is to deploy forward trust certs to all of your endpoints so the magic box can inspect the traffic.... at this point in any complex environment you then need to start building an exception list for decryption or everything breaks.... shortly after this you'll probably look for a low beam and a length of rope.
Your mileage may vary, but in a large complex environment....
You could always use ETDR solutions rather than network intercept, might be easier these days. Just make sure you buy the correct vendor one or you'll discover a large chunk of your platforms aren't supported either...
-
-
Thursday 22nd April 2021 13:40 GMT Anonymous Coward
Re: It had to happen
PS using stuff like Reddit or Google docs or Google calendar or facebook or even posted in slack (or IRC!) is all C2 methods I've seen for years and years....
The bad guys will do anything to try and hide their comms, which is why ETDR is a much better way of combatting them than trying to use network tools - and I say that as a network person as much as a security one.
-
-
Wednesday 21st April 2021 20:50 GMT vogon00
Encrypt, Encrypt, Encrypt, Encrypt...
...seems to be the current industry mantra, which is a good thing and a bad thing.
On one hand, I like encryption as it means there is less chance of 'leaking' stuff you really should keep secure (Banking, authentication details, loads of stuff). This is main benefit for us 'end users', let alone the non-cognoscenti 'Joe Public' who don't know enough to be concerned.
On the other, encryption can be a PITA even at small scale and like all 'security' stuff it can get in the way a bit. My main objection is that people like me can no longer peer into the data stream and figure out how something works and/or what has gone wrong. When encryption wasn't as ubiquitous as it is now, malware was easier to spot as it tried to obfuscate/encrypt what is was doing...which was a 'red flag' back in the day. Now, it's just more encrypted unobservable traffic... Personally, I miss the ability to 'reverse engineer' AKA learn-by-example using Wireshark :-)
Mine is the one with only port 80 in the pocket :-)
Encryption benefits you and the owner of the endpoint to are talking to - and that's it. e.g. only Microsoft/Google/Amazon/Other infrastructure vendor get to see and use the juicy personal data you provide them with, as they have access to the decrypted 'raw' stuff (Unless they sell it on, of course). I'm half tempted to go a bit further and say it only benefits them, not you, as it gives them a 'protected' revenue stream!
Mine is the one with only port 80 in the pocket:-)
-
Wednesday 21st April 2021 23:17 GMT Graham Cobb
Re: Encrypt, Encrypt, Encrypt, Encrypt...
It's just a tool.
Sure, nowadays, all protocols use TLS, whether legitimate, confidential, criminal or just cat pictures. That's a good thing and, more importantly, there is no more point moaning about it than that it snows in winter. It isn't going to go away.
Even without TLS, much data is compressed, which makes it just as hard to see what any particular communication contains.
-
Thursday 22nd April 2021 13:44 GMT Anonymous Coward
Re: Encrypt, Encrypt, Encrypt, Encrypt...
Decrypt it then if you want.... its fairly simple.
Forward trust certs allow MITM intercept.
As I wrote above, on a small scale, dead easy.... just don't assume it scales so easily ;-) Definitely don't believe glib comments from vendors of gear that does it!!
-