Threats delivered over encrypted channels continue to rise

Encryption is the default setting for online communications, and almost all Internet traffic is protected by security protocols such as TLS/SSL. However, as encryption becomes more common, the opportunities for threat actors to exploit encrypted channels increase.

The same encryption that protects legitimate activity also serves as a conduit for malicious activity. Attackers use encrypted channels to bypass traditional defenses and hide malware, phishing campaigns, cryptomining/cryptojacking, and data theft within encrypted traffic.

this Zscaler ThreatLabz 2024 Crypto Attack Report This evolving threat landscape is examined based on a comprehensive analysis of billions of threats delivered over HTTPS and blocked in the Zscaler cloud. The report highlights the latest trends, major threat categories, the most common targets of encryption attacks, and additional insights into how attackers are weaponizing encrypted traffic.

5 important findings about encryption attacks

The ThreatLabz research team analyzed 32.1 billion cryptographic attacks intercepted by Zscaler Cloud between October 2023 and September 2024 to identify and understand the latest threat patterns. The following findings highlight some of the most prominent trends and goals.

1. Crypto-attacks are growing steadily: During the analysis period, Zscaler Cloud blocked an unprecedented number of attacks embedded in TLS/SSL traffic. Encrypted threats accounted for 87.2% of all blocked attacks, and encryption attacks increased by 10.3% year over year, reflecting threat actors’ increasing reliance on encryption to hide their malicious activities.

2. Malware dominates: Malware remains the most prevalent encryption threat, accounting for 86.5% of blocked attacks. This trend highlights the adaptation of malware tactics to thrive in encrypted channels, using encryption to mask payloads and evade traditional security and detection measures.

Figure 1: Main threat categories observed

3. Cryptomining/cryptojacking, cross-site scripting and phishing threats surge: Cryptomining/cryptojacking and cross-site scripting (XSS) are the fastest-growing cryptographic threats, with year-on-year growth of 122.9% and 110.2% respectively, while phishing has significantly increased by 34.1%. These spikes may be driven by the increasing use of generative artificial intelligence technologies, which make it easier to create advanced cryptocurrency mining scripts, automate malicious XSS scripts, and execute high-trust phishing campaigns.

4. Manufacturing tops the list of worst-affected industries: Manufacturing, technology, and services are the most attacked industries, with the manufacturing industry suffering 13.5 billion encryption attack attempts between October 2023 and September 2024.

5. The United States and India remain top targets: During the period analyzed by ThreatLabz, the United States and India received 11 billion (US) and 5.4 billion (India) encryption attacks respectively, maintaining their status as the most targeted countries, followed by France, the United Kingdom, and Australia.

Figure 2: Map of countries with the most encryption attacks

Evolving Crypto Attack Trends

ThreatLabz has identified a number of important evolving trends in cryptographic attacks, from attackers leveraging encrypted channels to steal sensitive data to adversary-in-the-middle (AiTM) methods using advanced tools and TLS/SSL encryption to create nearly undetectable phishing campaigns. The report provides examples of each.

One notable trend explored in detail by ThreatLabz is the increasing misuse of cloud services by advanced persistent threat (APT) groups. By mixing with legitimate cloud service traffic, APT groups can take advantage of the default use of TLS/SSL encryption enabled to help them evade network security controls. ThreatLabz delves into this trend, providing detailed analysis including:

• Top APT groups abusing cloud services
• Top 10 most abused cloud services
• Top services that abuse payload delivery
• The most common tactics used in cloud service abuse

How Zscaler blocks cryptographic threats

Zscaler Zero Trust Exchange Provides powerful solutions to stop cryptographic threats, starting with eliminating blind spots through its TLS/SSL inspection capabilities and AI-driven defenses. Here’s how Zscaler combats cryptographic threats at every stage of an attack.

Minimize attack surface: Uninspected encrypted connections, such as those through VPNs or exposed workloads, can increase the attack surface and allow attackers to hide in plain sight. Zscaler eliminates this risk and attack surface by making applications and services invisible to the network. This approach prevents encrypted threats from reaching critical applications and systems, providing proactive protection that does not rely on shared network access.

Prevent initial compromise Zscaler Web Access™ (ZIA) Perform full TLS/SSL inspection to authenticate every connection and block hidden threats without sacrificing performance. ZIA’s inspection capabilities leverage artificial intelligence analysis and inline detection to quickly identify and block sophisticated threats in encrypted traffic. This approach eliminates the need for traditional resource-intensive physical equipment, allowing organizations to easily handle encrypted traffic growth without disruption.

Eliminate lateral movement: Once an attacker gains access, they often move laterally within the network. Zscaler prevents this from happening through zero-trust segmentation and AI-driven context-aware policies Zscaler Private Access™ (ZPA). ZPA implements granular access control, restricting users to specific applications based on identity, context, and policy. This replaces complex rules-based network segmentation with simplified, identity-based access control. Additionally, Zscaler uses deception techniquesset up decoys to detect and block lateral movement attempts in encrypted traffic.

Block command and control callbacks Malware often relies on encrypted channels to communicate with C2 servers, allowing attackers to execute commands, download additional malware, or steal sensitive data. ZIA inspects outgoing (northbound) and incoming (southbound) encrypted traffic to disrupt C2 communications. Zscaler’s AI driver Data loss prevention tools Detect and block malicious traffic, prevent sensitive data from being leaked, and prevent encrypted C2 callbacks from compromising the network.

Case study: Learn how Wipro used Zscaler to block 8.2 million cryptographic threats in one quarter

By replacing traditional firewalls and VPNs with Zscaler, Wipro Enhanced defenses with inline TLS/SSL inspection of all Internet and SaaS traffic to detect and block cryptographic threats. Read their stories here.

Why comprehensive TLS/SSL inspection is important

The foundation of Zscaler’s defense against cryptographic threats is its complete TLS/SSL inspection capabilities, enabled by a scalable proxy-based architecture. Unlike traditional hardware-based solutions that force organizations to compromise between security and speed, Zscaler’s cloud-native approach allows organizations to comprehensively inspect traffic at scale through its single-scan, multi-action engine, a unique capability , can handle traffic once to apply multiple security controls simultaneously. This helps organize:

• Inspect 100% of encrypted traffic: Unlike solutions that only inspect a small portion of encrypted traffic due to hardware limitations, Zscaler’s cloud-native architecture ensures that every packet is inspected without exception.
• Layered Advanced Security Controls: Embedded, AI-driven security controls detect and block threats embedded in encrypted traffic.
• Maintain high performance: Zscaler’s architecture eliminates bottlenecks typically associated with hardware devices.

Leading Crypto Threats

The research results are in ThreatLabz Crypto Attack Report 2024 It became clear that threat actors are constantly evolving with the help of encryption and artificial intelligence technologies to evade detection and maximize their impact.

Dive into the latest research and learn more about how to stay ahead of crypto threats. The full report provides:

• In-depth analysis: Detailed findings and case studies on how attackers exploit encryption.
• Predictions to 2025: Expert insights into the evolving crypto threat landscape.
• Actionable Best Practices: A practical checklist for improving your defenses against cryptographic attacks.

Protect your organization from cryptographic threats. Get your copy Today’s report.