Skip to main content
banner image
venafi logo

Zscaler: Encrypted Attacks Increased by a Stunning 260%

Zscaler: Encrypted Attacks Increased by a Stunning 260%

June 28, 2021 | Anastasios Arampatzis

In the most recent Zscaler report, “2020 State of Encrypted Attacks,” covering January to September of last year, it was revealed that SSL/TLS encryption is increasingly being leveraged by cybercriminals. ThreatLabZ, Zscaler’s research team, uncovered uncomfortable encryption trends such as encryption hiding in malware, abuse of cloud storage, and a rise in mobile attacks. The report scrutinizes the attack chain and provides an analysis on browser exploits, ransomware and malware. At the end of this report, suggestions for preventing encryption threats are put forth.

ThreatLabZ collects this data from enterprise traffic and the over 120 billion daily transactions crossing the Zscaler cloud platforms.

What last year taught us about encryption threats

Zscaler analyzed encrypted traffic across their cloud environment for the first nine months of 2020 to identify hidden encryption attack trends. Their findings are summarized below:

  • 80% of all internet traffic is now encrypted
  • 260% increase in SSL-based threats, as advanced by an increase in collaboration applications due to Covid-19
  • Healthcare is the #1 most targeted industry
  • 30% of SSL-based attacks hide in cloud-based file-sharing services (AWS, GoogleDrive, OneDrive, Dropbox)
  • A 5-times increase in encrypted ransomware attacks

Increasingly, using a secure SSL/TLS posture is becoming standard practice for cybercriminals, as well as typical internet practitioners. There are two main advantages for adversaries to using SSL encryption to masquerade their malicious actions:

  1. Malware can hide undetected in an encrypted file.
  2. Even the malware can be encrypted to alter its “fingerprint” and pass by traditional cybersecurity models undetected.

As the rate of encrypted SSL/TLS attacks rises exponentially, it is virtually impossible to catch all nefarious traffic passing over a corporate network. That is why it is important to transition away from traditional security models such as next-generation firewalls and adopt a more agile method of decrypting, inspecting and re-encrypting the data that passes over our networks. At this time, many enterprises are not equipped to do so, but there are solutions.

Encryption attack trends
  • Healthcare sector targeted
    SSL/TLS attacks have increased across all industries, but none so much as healthcare. This is due largely to the presence of legacy systems, still in use due to lengthy FDA approval times, which lack centralized visibility, policy enforcement and security controls—leaving the systems open to attack. Out of over 1.69 billion encrypted attacks within the healthcare industry analyzed in this report, 84.2 percent utilized malicious URLs. Following this were IPS blocks (7.6%), botnet attacks (3.8%), phishing schemes (2.8%) and spyware/adware attacks (1.4%).
  • More sophisticated threats
    One reason contributing to the success of URL attacks is the sophistication employed by cybercriminals in disguising their websites to look like real ones. They are increasingly using homograph attacks (replacing an “I” with a “1” such as in “”) and domain squatting, registering one of these fake, but similar, domains to deliver malware and serve as vehicles for attack. We also know that the use of SSL/TLS encryption among malicious sites is becoming almost ubiquitous, requiring continuous monitoring and automated security controls to keep up.
  • Cloud storage attacks
    Attackers are leveraging the fact that enterprises don’t have the bandwidth to scan all encrypted traffic and therefore often “trust” all incoming traffic from major cloud service providers. The presence of wildcard certificates makes this all the more possible. One method of attack is to drop a downloader file full of malware into a cloud service and email out the URLs in a spam campaign. Because attackers are entering the trust-chain at such a high level, their malicious URLs (“sent” from trusted cloud providers) defy typical email security measures such as firewalls and anti-spam. Last year, 2 billion SSL threats originating from cloud service providers were blocked by Zscaler alone within a 6-month period.
  • Mobile attacks
    Mobile attacks are on the rise as cybercriminals impersonate apps, or even the app store, to create fake applications people will trust. By simply hitting “Accept” as so many of us carelessly do, users often allow permissions to be given to a sinister program which then can scan legitimate applications for credentials—such as your banking apps, email and two-factor authentication. It then exfiltrates this data and often implants itself further, installing additional malware and making itself difficult—or impossible—to revoke or uninstall.
Analyzing the attack chain

Several of the most prevalent methods of attack were marked and analyzed in Zscaler’s report: phishing, corporate phishing, browser exploits, ransomware and malware.

  • Phishing
    Over 193 million phishing attempts were caught by Zscaler alone between January and September 2020, with manufacturing being the hardest hit. This is due, in part, to the weakness of having different IT infrastructures at different facilities. Nearly 40% of all phishing attempts during that period were targeted towards manufacturing.
  • Corporate phishing
    Just as companies “trust” major cloud service providers, consumers trust large name-brands - and cybercriminals take advantage of that trust. They will spin up fake websites, direct you to them via email scams and steal your credentials. “Tech support” ploys are popular, and the most phished brand, according to Zscaler, was Microsoft.
  • Browser exploits
    Attackers manipulate weaknesses in an OS to alter browser settings without the knowledge of the user. Over 658,000 browser attacks were blocked last year, with manufacturing and finance being the top two targets. As stated in the report, “[a]s in other industries, without unified controls and centralized visibility and policy enforcement, security is incomplete and cybercriminals continue to exploit these holes.”
  • Ransomware
    A new trend has emerged recently among ransomware attacks. Before encrypting the pilfered data, the ransomware will now exfiltrate the data unchanged, as a true data hostage. The theory is that even if enterprises have sufficient backups to mitigate the attack, a ransom will be paid to keep information confidential.
  • Malware
    Emotet and TrickBot were the two most prevalent malware families flagged by Zscaler last year, with over 2.6 billion malware attacks blocked worldwide. This is by far the most prevalent form of encrypted attack, with the benefit of longevity as installed malware can lay dormant (command-and-control ability) until further command to exfiltrate data and execute malicious attacks with continuous access to the user’s system.
Preventing encrypted threats

What can be done to stem the tide of rising encrypted attacks? The Zscaler report offers several helpful suggestions:

  • Inspect all encrypted traffic for every user, as encrypted threats can lie undetected and pass over overwhelmed and incomplete security controls.
  • Utilize AI-driven quarantine measures to detain suspicious payloads for analysis. This trumps older firewall-based approaches.
  • Create a uniform security control strategy across all locations, users and devices.
  • Operate under a zero-trust model to eliminate lateral movement, establish role-based access and limit your attack surface by making apps invisible to attackers.

In addition, security control measures that can perform at-scale and employ default automation are becoming increasingly necessary to fend off attack. Cybercriminals are taking advantage of every available threat vector and exploiting the weaknesses of legacy strategies that rely on manual processes, outdated firewalls and non-cloud native security solutions.

The Zscaler report suggests a “multilayered, defense-in-depth strategy that fully supports SSL inspection” to fully protect your enterprise from lurking encrypted threats. However, blind spots in encrypted traffic impact the security controls that businesses depend on to protect themselves.

It is essential for organizations to inspect cloud SSL/TLS traffic to protect against threats utilizing encrypted traffic. But to do this at scale, you’ll need to orchestrate the TLS machine identities to make them readily available to the TLS inspection system for decryption. So, proper machine identity management is a must. Without proper visibility, many security solutions are useless against the increasing number of attacks hiding in encrypted traffic. For maximum protection, you must have full visibility into all of your machine identities and automate as much as possible.

Related Posts

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more