Cybersecurity News

SSL-Based Cyberattacks Increase By 260%; Healthcare Most Targeted

The number of cyberattacks leveraging SSL encrypted channels to bypass legacy security controls increased by 260 percent since 2019. And healthcare was the most targeted sector.

healthcare SSL encryption cybercriminals threat actors hidden threats endpoint protection ransomware

By Jessica Davis

- The number of cyberattacks leveraging encrypted channels to bypass legacy security controls has rapidly increased by a staggering 260 percent since 2019, with the healthcare sector as the leading target for these SSL-based attacks, according to a recent ZScaler ThreatLabZ report.

SSL/TLS encryption is the industry-standard method for protecting data in transit and is meant to protect traffic from unauthorized access. However, hackers have hijacked the tool to hide cybercriminal activity, “turning the use of encryption into a potential threat without proper inspection.”

“Cybercriminals know what security experts know: that SSL/TLS encryption is the industry-standard way to protect data in transit,” researchers explained. “Those same cybercriminals use industry-standard encryption methods themselves, devising clever ways to hide malware inside encrypted traffic to carry out attacks that bypass detection.”

In response, ZScaler analyzed the encrypted traffic across its cloud for the first nine months of this year, breaking down its use across each sector. The report is designed to provide insights into the volume of encrypted traffic, as well as the threats hidden within it.

In total, researchers identified and stopped 6.6 billion threats hidden inside encrypted traffic between January and September 2020, for an average of 733 million threats blocked each month.

READ MORE: Required Actions to Prevent Common Ransomware Exploits, Access Points

The monthly average increased 260 per month since 2019, where Zscaler cloud stopped an average of 283 million threats found in encrypted traffic on a monthly basis. The spike was attributed to the rapid adoption of cloud-based collaboration apps amid the COVID-19 crisis.

What’s more, the healthcare sector led the targeted vectors with 1.6 billion encrypted threats identified and blocked, followed by the finance and manufacturing sectors.

Overall, healthcare accounted for 25.5 percent of all advanced threats blocked over encrypted channels in the Zscaler cloud. In comparison, the finance sector accounted for 18.3 percent of all blocked advanced threats, followed by manufacturing with 17.4 percent.

About 84 percent of the attacks on the healthcare sector stemmed from malicious URLs, delivered to victims via email, text messages, pop-ups, and even on-page advertisements. The lures led to downloaded malware, ransomware, spyware, compromised accounts, and other risks.

The sector is typically the most vulnerable to cyberattacks given the prevalence of legacy technologies across the enterprise that are often riddled with known vulnerabilities or lack adequate security controls.

READ MORE: Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime

The data is concerning given the severity of the global health crisis, as threat actors have continued to leverage the pandemic for COVID-19-related attacks, including fake sites, fraud attempts, and other attack methods.

In the first three months of 2020, researchers saw a reported 30,000 percent spike in threats tied to the virus. Hackers created sophisticated attack chains that began with standard phishing emails containing an exploit or hidden malware.

If the user engages with the email, the attack will then move to deploy malware and commonly the exfiltration of valuable data. Zscaler explained that in these attacks, the hackers are also encrypting the exploit or hidden malware, which completely changes the file structure.

As security tools rely on file structure to identify incoming threats, the malicious file will often not be identified as a threat.

The data also revealed that threat actors are increasingly abusing cloud-based file-sharing services: more than 30 percent of all SSL-based attacks hide in collaboration services, including Google Drive, OneDrive, Amazon Web Services (AWS), and Dropbox.

READ MORE: TrickBot Spear-Phishing Campaign Deploys Malware for Remote Access

In total, Zscaler cloud blocked 2 billion threats in encrypted traffic, with the majority of malicious content found to be hosted on AWS, Google, Dropbox, and OneDrive. These threats nearly doubled between March and September, accounting for 30 percent of all SSL/TLS encrypted threats during that period.

“Cybercriminals upload the malware payload (often a stage one downloader file) on one or more services and distribute the URLs as part of an email spam campaign,” researchers explained. “The use of leading services such as Google, Microsoft, Amazon, and Dropbox improve the chances of end users clicking the link.”

“Cybercriminals also take advantage of the wildcard SSL certificates belonging to these service providers,” they added. “If cloud-provider traffic is assumed safe and goes uninspected, it helps bad actors serve malware payloads over encrypted channels and evade URL filtering-based security solutions such as anti-spam, email protection, firewalls, and more.”

Further, ransomware delivered over SSL/TLS channels increased by 500 percent since March, given the rapid adoption of remote work amid the crisis with a focus on industries more susceptible to attacks and likelihood of paying ransom demands.

Healthcare was the second-most targeted industry for ransomware attacks over encrypted channels with 26.5 percent of attacks, compared to 40.5 percent of attacks of the most target sector, technology and communication.

The leading ransomware hacking groups leveraging encrypted channels include FileCrypt/FileCoder, Sodinokibi, Maze, and Ryuk. For most of these groups, data exfiltration is a key tactic designed as an insurance policy for attackers.

Mitigation of these attacks can prove challenging, given the stealthy tactics. As such, “inspecting encrypted traffic must be a key component of every organization’s security defenses.” 

“The problem is that traditional on-premises security tools like next-generation firewalls struggle to provide the performance and capacity needed to decrypt, inspect, and re-encrypt traffic in an effective manner,” researchers explained. “Attempting to inspect all SSL traffic would bring performance (and productivity) to a grinding halt, so many organizations allow at least some of their encrypted traffic to pass uninspected, such as traffic from cloud service providers and others deemed to be ‘trusted.’” 

“This is a critical shortcoming. Failing to inspect all encrypted traffic leaves organizations vulnerable to hidden phishing attacks, malware, and more, all of which could be disastrous,” they added.

Zscaler urged organizations to understand SSL traffic’s shortcomings, including that its traffic is not necessarily secure. Organizations should ensure they’ve employed best practice security policies and procedures, ensuring its internet traffic is encrypted.

Further, administrators should decrypt, detect, and prevent threats in all SSL traffic using a cloud-based proxy architecture able to inspect all traffic for each user. Unknown attacks should be quarantined to stop malware, while all users and locations must have consistent security.

As previously noted to HealthITSecurity.com, healthcare entities should be moving toward a zero trust architecture to prevent lateral movement in attacks.