New Research Identifies Surge in Cybercriminals Using TLS to Carry Out Attacks

Sophos has unveiled new XGS Series firewall appliances featuring Transport Layer Security (TLS) inspection, including native support for TLS 1.3.

“Sophos Firewall XGS Series appliances represent the most significant hardware upgrade that we have ever released, providing huge opportunity for the EMEA market,” said Kevin Isaac, senior vice president at Sophos.

“The last year has seen a dramatic increase in the pace of digital transformation. New and rapidly scaled digital business processes combined with the need to support remote workforces has opened up new areas of risk as well as opportunity. Organizations need powerful, next-generation protection that can defend the organisation and its daily operations against threats such as ransomware and other malware.”

“Security teams can no longer afford to overlook encrypted traffic for fear of breaking something or hurting performance – there’s too much at risk. We’ve completely redesigned the Sophos Firewall hardware to handle the modern encrypted internet. Security teams now have the ability to easily inspect encrypted traffic and shine light on what used to be a black hole, and they can confidently do so without compromising performance,” said Dan Schiappa, chief product officer at Sophos.

Cybercriminals Increasingly Using TLS to Avoid Detection
Sophos has also published new research, “Nearly Half of Malware Now Use TLS to Conceal Communications,” identifying a surge in cybercriminals using TLS in their attacks. The increasingly popular tactic is used by adversaries to encrypt and obfuscate the content of malicious communications to avoid detection as they carry out attacks.

45% of malware detected by Sophos from January through March 2021 used TLS to conceal malicious communications. That’s a staggering rise from the 23% Sophos reported in early 2020. Sophos has also seen an increase in the use of TLS to carry out ransomware attacks in the past year, particularly with manually-deployed ransomware. The majority of malicious TLS traffic that Sophos has detected is comprised of initial-compromise malware, such as loaders, droppers and document-based installers like BazarLoader, GoDrop and ZLoader.

“TLS has undoubtably changed the privacy of internet communications for the better, but for all the good it’s done, it’s also made it much easier for attackers to download and install malicious modules and exfiltrate stolen data – right under the noses of IT security teams and most security technologies,” said Schiappa. “Attackers are taking advantage of TLS-protected web and cloud services for malware delivery and for command and control. Their initial compromise malware is simply the advance guard for major attacks, as they’re setting up camp for the heavy artillery that follows, like ransomware.”

Accelerating Threat Protection
Powered by Sophos Firewall’s Xstream architecture, XGS Series appliances deliver the industry’s best zero-day threat protection, identifying and stopping the most advanced known and potential threats – including ransomware. Protection is fueled by powerful threat intelligence, available only through SophosLabs Intelix and based on petabytes of SophosLabs threat data. Suspicious files are safely detonated in SophosLabs Intelix virtual environments as well as subjected to in-depth static analysis for additional detection coverage and intelligence gathering.

New Xstream Flow Processors within the appliances automatically accelerate trusted traffic, such as software as a service (SaaS), software-defined wide-area network (SD-WAN) and cloud applications, providing maximum headroom for traffic requiring TLS and deep packet inspection. This greatly reduces latency and improves overall performance for important business applications, particularly those using real-time data. Furthermore, the Xstream Flow Processors are software programmable, allowing Sophos to offload additional traffic in the future. Together with the flexibility to enhance and adapt the connectivity on the hardware itself, this protects customers’ hardware investment over its full lifecycle, whilst also protecting their business.

Read the latest edition of PCR’s monthly magazine below:

Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.

Check Also

Exponential-e and The National Pathology Imagine Co-operative (NPIC) join together in strategic partnership

Exponential-e has become the strategic platform provider for The National Pathology Imaging Co-operative (NPIC). Exponential-e …