Sophos published today a survey showing that there is an increase in the number of cybercriminals using TLS (the Transport Layer Security protocol) in their attacks to hide the content of traffic. The report, entitled “Almost half of malware now uses TLS to hide communications,” reveals that the use of malware that uses protocol-encrypted communications has increased significantly: almost 46% of malware detected by Sophos from January to March 2021 used TLS , against 23% reported by Sophos in the first quarter of 2020 report.
“Transport Layer Security has been a major contributor to the privacy and security of Internet communications over the past decade. It is used to encrypt and encapsulate content, so as not to be seen or modified on the way. It is not surprising that malware operators have taken over TLS for the same reasons: to prevent defenders from detecting and stopping the deployment of malware and data theft, ”says Sean Gallagher, senior threat researcher at Sophos.
Sophos research shows how the abuse of legitimate services like Google, Pastebin and Discord is a major contributor to the increased use of TLS by malware. The use of these services allows malware authors to hide their activities in traffic to “trusted” sites. In fact, Google Cloud was the single largest source of detected TLS malware communications, in part due to the use of Google Forms and other company documents, as well as cloud storage and websites hosted by Google.
“As a result, we saw impressive growth last year in malware using TLS to hide communications. The most worrying trend we see is the use of commercial cloud protected by TLS and web services, such as Google, Pastebin and Discord, as part of the malware deployment and for command and control. However, the sharp increase in the use of TLS by attackers is also influenced by new services and technologies designed to make the implementation of TLS much easier for smaller companies and its integration with standard security and other ready-made tools, as well as programming interfaces. applications. Professionals urgently need better visibility of encrypted traffic so that they can stop an attack in its early stages, rather than when the devastation becomes visible, such as when the payload of the ransomware is released, ”reinforces the researcher.
Because of this scenario, Sophos is introducing new XGS series firewall devices with advanced protection. The new devices feature the industry’s best Transport Layer Security (TLS) inspection, including native support for TLS 1.3, which is up to five times faster than other models available on the market today.
With international news agencies