Let’s Encrypt Now Being Abused By Malvertisers

University
College
Course
Computer Science
Pages

3

Academic year

2020
Author

anon
Views

7

Let’s Encrypt Now Being Abused By Malvertisers Encrypting all HTTP traffic has long been considered a key security goal, but there have been two key obstacles to this. First, certificates are not free and many owners are unwilling to pay; secondly the certificates themselves are not always something that could be set up by a site owner. The Let’s Encrypt project was founded with the goal of eliminating these obstacles. The project’s goal is to provide free certificates to all site owners; in addition, software could be set up on a web server to make the process as automated as possible. It is backed by many major Internet companies and non-profit organizations – Akamai, Cisco, the Electronic Frontier Foundation (EFF), Facebook, and Mozilla to name a few. Let’s Encrypt only issues domain-validated certificates and not extended validation (EV) certificates, which include additional checks regarding the identity of the site owner. Unfortunately, the potential for Let’s Encrypt being abused has always been present. Because of this, we have kept an eye out for malicious sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine. Figure 1. Daily hits to malvertising server We believe that this attack is a continuation of the same malvertising campaign we first identified in September that also targeted Japanese users. How was this attack carried out? The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site. Note that we are disguising the name of this site until its webmasters are able to fix this problem appropriately Traffic to this created subdomain was protected with HTTPS and a Let’s Encrypt certificate, as shown below: Figure 2. Let’s Encrypt SSL certificate The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic. Parts of its redirection script have also been moved from a JavaScript file into a .GIF file to make identifying the payload more difficult. Anti-AV code similar to what we found in the September attack is still present. In addition, it uses an open DoubleClick redirect – a tactic previously discussed by Kafeine of Malware don’t need Coffee. Figure 3. Code used by malvertising Any technology that is meant for good can be abused by cybercriminals, and Let’s Encrypt is no exception. As a certificate authority ourselves we are aware of how the SSL system of trust can be abused. Cases like this one where an attacker is able to create subdomains under a legitimate domain name demonstrate a problem. A certificate authority that automatically issues certificates specific to these subdomains may inadvertently help cybercriminals, all with the domain owner being unaware of the problem and unable to prevent it. These DV certificates can help the hacker gain legitimacy with the public. Let’s Encrypt only checks domains that it issues against the Google safe browsing API; in addition, they have stated that they do not believe CAs should act as a content filter. Security on the infrastructure is only possible when all critical players – browsers, CAs, and anti-virus companies – play an active role in weeding out bad actors. CAs should be willing to cancel certificates issued to illicit parties that have been abused by various threat actors. Website owners should ensure that they secure their own website control panels, to ensure that new subdomains beyond their control are not created without their knowledge. Users should also be aware that a “secure” site is not necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited.

Comments

Please or to post comments

Let’s Encrypt Now Being Abused By Malvertisers

Let’s Encrypt Now Being Abused By Malvertisers

Encrypting all HTTP traffic has long been considered a key security goal, but

there have been two key obstacles to this. First, certificates are not free and many
owners are unwilling to pay; secondly the certificates themselves are not always
something that could be set up by a site owner.

The Let’s Encrypt project was founded with the goal of eliminating these

obstacles.  The  project’s  goal  is  to  provide  free  certificates  to  all  site  owners;  in
addition, software could be set up on a web server to make the process as automated
as  possible.  It  is  backed  by  many  major  Internet  companies  and  non-profit
organizations – Akamai, Cisco, the Electronic Frontier Foundation (EFF), Facebook,
and Mozilla to name a few. Let’s Encrypt only issues domain-validated certificates
and  not  extended  validation  (EV)  certificates,  which  include  additional  checks
regarding the identity of the site owner.

Unfortunately, the potential for Let’s Encrypt being abused has always been

present. Because of this, we have kept an eye out for malicious sites that would use
a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a
malvertising server, with traffic coming from users in Japan. This campaign led to
sites hosting the Angler Exploit Kit, which would download a banking Trojan
(BKDR_VAWTRAK.AAAFV) onto the affected machine.

Figure 1. Daily hits to malvertising server

We believe that this attack is a continuation of the same malvertising campaign
we first identified in September that also targeted Japanese users.

How was this attack carried out? The malvertisers used a technique called

“domain shadowing”. Attackers who have gained the ability to create subdomains
under a legitimate domain do so, but the created subdomain leads to a server under
the control of the attackers. In this particular case, the attackers created
ad.{legitimate domain}.com under the legitimate site. Note that we are disguising
the name of this site until its webmasters are able to fix this problem appropriately

Traffic to this created subdomain was protected with HTTPS and a Let’s

Encrypt certificate, as shown below:

Figure 2. Let’s Encrypt SSL certificate

The domain hosted an ad which appeared to be related to the legitimate

domain to disguise its traffic. Parts of its redirection script have also been moved
from a JavaScript file into a .GIF file to make identifying the payload more
difficult. Anti-AV code similar to what we found in the September attack is still
present. In addition, it uses an open DoubleClick redirect – a tactic previously
discussed by Kafeine of Malware don’t need Coffee.

Figure 3. Code used by malvertising

Any technology that is meant for good can be abused by cybercriminals, and

Let’s Encrypt is no exception. As a certificate authority ourselves we are aware of
how the SSL system of trust can be abused. Cases like this one where an attacker is
able to create subdomains under a legitimate domain name demonstrate a problem.
A certificate authority that automatically issues certificates specific to these
subdomains may inadvertently help cybercriminals, all with the domain owner
being unaware of the problem and unable to prevent it. These DV certificates can
help the hacker gain legitimacy with the public.

Let’s Encrypt only checks domains that it issues against the Google safe

browsing API; in addition, they have stated that they do not believe CAs should act
as a content filter. Security on the infrastructure is only possible when all critical
players – browsers, CAs, and anti-virus companies – play an active role in weeding
out bad actors.

CAs should be willing to cancel certificates issued to illicit parties that have

been abused by various threat actors. Website owners should ensure that they
secure their own website control panels, to ensure that new subdomains beyond
their control are not created without their knowledge. Users should also be aware
that

“secure” site is not necessarily a safe site, and we also note that the best

defense against exploit kits is still keeping software up-to-date to minimize the
number of vulnerabilities that may be exploited.