Hackers upping SSL usage for encrypted attacks, communications

Hackers are increasingly turning to secure connections to carry out network breaches and encrypted attacks.

A new report from cloud security vendor Zscaler found that instances of hackers using HTTPS connections were up more than 300% on the year.

The company's annual report, titled "The State of Encrypted Attacks," said that by encrypting the connections among its malware clients and command-and-control servers, cybercriminals can evade detection by network security appliances and software.

"Encryption actually offers multiple benefits to attackers," the Zscaler team explained. "Not only is encrypted traffic less likely to be inspected by security teams, but encrypted files are much harder to fingerprint, allowing malware to slip by undetected."

While the overwhelming majority -- 91% -- of the malicious traffic is due to malware, secure connections are also used on occasion for other types of attacks. Advertising spyware accounts for approximately 7% and phishing attacks made up 1.8% of traffic.

Overall, secured malware traffic was up 212%. Browser exploits increased by 384% on the year, and ad spyware increased by a whopping 435%.

Though attacks over HTTPS were up overall, some types of attacks did see a decrease from their 2020 levels. Cryptomining attacks declined by 20%, while cross-site scripting attacks fell by 61%. Attacks targeting healthcare providers and government agencies also saw a decrease.

Among malware types making use of secure connections, data theft is the most common, particularly the theft of personally identifiable information. Hackers also use the secure connections to shift financial data from corporate networks, while intellectual property theft rounds out the top three.

The report notes that attacks on mobile devices, usually conducted by way of fake or poisoned apps, is an increasingly popular way for attackers to harvest personal data from users and exfiltrate it via SSL.

"After initial infection, many of the new and prevalent mobile malware variants use SSL network communication for their command-and-control activities, including fetching payloads or receiving commands for doing malicious activities and data exfiltration," Zscaler wrote in the report.

With secured connections becoming more common with the latest generation of ransomware, Zscaler argued that companies need to up their investment in monitoring tools capable of spotting these attacks.

"While most organizations have some form of protection against malware, attackers are upping their techniques, creating new malware variants that are able to bypass fingerprinting technologies," Zscaler said.

"Of course, organizations that don't inspect their encrypted traffic won't have visibility into malware -- even well-known malware -- until after it has entered their systems."