Skip to main content
banner image
venafi logo

The 5 Worst Things Attackers Can Do in Your Encrypted Tunnels

The 5 Worst Things Attackers Can Do in Your Encrypted Tunnels

cyber crime and encrypted tunnels
February 19, 2019 | Nick Hunter

Analysts estimate that over half of all network attacks leverage encryption. By using forged or compromised keys and certificates, attackers create malicious tunnels into your network where they hide while they conduct surveillance, install malware and ultimately exfiltrate valuable data. This type of attack is particularly nefarious because the tunnels that attackers use appear to contain everyday business communications unless they are inspected. But let’s face it, how many organizations inspect 100% of their network traffic?

The relative vulnerability of encrypted tunnels depends on a variety of factors, such as the security of their protocols, their attributes and an organization’s overall awareness of how tunnels are being used. Below, I’ve outlined the types of encrypted tunnels that cybercriminals most often employ and how they may contribute to an attack.

  1. Use IPsec Tunnels to Gain Initial Access
    Organizations use Internet Protocol Security (IPsec) to create a VPN that secures internet communication across an IP network. Because IPsec tunnels are frequently used to set up a tunnel from a remote site into a central site, they are an ideal infiltration tool for cyber criminals. An IPSec/L2TP tunnel is most often used during the discovery and incursion attack phases. The tunnel is used to gain initial access to an organization, perform reconnaissance and establish a beachhead. This type of attack generally compromises only established VPN endpoints, because creating a new tunnel would require the attacker to penetrate perimeter layer defenses to gain access to the VPN administrative console—a much more technically complex task.
  2. Pivot within Site-to-Site VPN Tunnels
    Large organizations use a site-to-site VPN to connect their main location networks to multiple offices and business partners. Because they are the most flexible and adaptable option, they are a perfect tool for moving quickly from site to site within an extended network. Attackers use site-to-site tunnels after they have compromised the initial internal system as part of a pivot portion of an attack. These tunnels are ideal for the reconnaissance phase of the attack—when attackers are trying to gain access to other network segments or devices. Because of the impact to performance, site-to-site VPN tunnels are rarely inspected, which allows attackers to go undetected while using them.
  3. Move Payloads through SSH Tunnels
    The SSH, or Secure Shell, protocol is the most convenient way to administer remote servers and applications. SSH keys are increasingly sought after by attackers because they grant administrators privileged access to applications and systems. By authenticating each machine via stored servers and client keys, SSH allows them to securely connect to each other, bypassing the need for manually typed authentication credentials. That’s why SSH tunnels are an easy way for attackers to pivot across network segments and devices. They are also ideal for moving malicious payloads undetected between file servers and applications because attackers can transfer concealed malware in compromised SSH tunnels. Often, SSH tunnels are used to exfiltrate data from a file server because copying files is a routine, automated task used to transfer data between machines, and, since the data is encrypted, it’s thought to be safe.
  4. Falsify Machine Identities in SSL and TLS Tunnels
    Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common forms of tunnels. SSL/TLS tunnels provide a secure session from any PC browser to an application server and are used to secure web-based transactions, such as banking or payments. Attackers create false identities and steal data from their victims, so they can use man-in-the-middle attacks to eavesdrop on encrypted traffic. Or, they can use stolen keys to decrypt a session to steal data from victims.
  5. Create Phishing Sites Using SSL and TLS Tunnels
    Another very common attack is to set up phishing websites, either on the internet or on organizations’ intranets. Attackers use stolen or compromised certificates to establish an identity that the victims’ browsers will trust. The victims connect to the malicious site, establish encrypted sessions and, because they believe they are connected to a trusted machine, begin to send sensitive data to the attackers. Since HTTPS sessions are trusted and are rarely inspected by layered security technologies, these attacks often go undetected.

Any type of encrypted tunnel can be misused in a cyber attack. Virtual Private Networks (VPNs) are the most recognizable example of encrypted tunnels and are understood to be vulnerable, but many organizations do not realize that SSL/TLS and SSH tunnels are also susceptible. As a result, most organizations don’t provide adequate oversight for the full range of tunnels that travel into and out of their networks. Does yours?

Learn more about machine identity management. Explore now. 


Like this blog? We think you will love this.
Featured Blog

Attacks Using Machine Identities are Rising Dramatically: Is Your Organization Prepared?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

Nick Hunter
Nick Hunter

Nick Hunter is an accomplished infosec leader with proven performance in driving revenue through successful strategy, enablement, pre-sales, and marketing. He was formerly Sr. Technical Marketing Manager and Product Manager at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more