Evasion of detection mechanisms used by security companies has always been a goal for cybercriminals. And it seems they have found a new way to improve these efforts. The new method is based on SSL/TLS signature randomization, and is given the name cipher stunting.
Cipher Stunting – How Does It Work?
The new technique was observed by Akamai researchers who presented their findings in a blog post. The cipher stunting technique has become a “growing threat” since it first emerged in early 2018. Shortly said, cybercriminals are randomizing SSL/TLS signatures in their attempt to evade detection.
“Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai”, the researchers noted.
The TLS fingerprints that Akamai observed before Cipher Stunting could be counted in the tens of thousands. Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.
More specifically, from 18,652 distinct fingerprints observed globally by Akamai in August 2018, after TLS tampering campaigns first started appearing in the beginning of September last year, the number reached the staggering 255 million instances in October. The increase came after a range of attacks against airlines, banking, and dating websites, which are often targets for credential stuffing attacks and content scraping. These numbers later grew to 1,355,334,179 billion instances detected at the end of February 2019.
Why is fingerprinting important?
Observing the way clients behave during the establishment of a TLS connection is beneficial for fingerprinting purposes so we can differentiate between attackers and legitimate users. When we conduct fingerprinting, we aim to select components of the negotiation sent by all clients. In the case of SSL/TLS negotiations, the ideal component for fingerprinting is the ‘Client Hello’ message that is sent via clear text, and is mandatory for each handshake.
The main goal of fingerprinting is to differentiate between legitimate clients and impersonators, proxy and shared IP detection, and TLS terminators.
It should be noted that “the traffic observed pushing many of the TLS changes with Client Hello came from scrapers, search and compare bots.”
In August 2018, Akamai observed 18,652 distinct fingerprints globally (0.00000159% of all potential fingerprints). Several of those fingerprints are present in more than 30% of all Internet traffic alone, and are attributed mostly to common browser and operating system TLS client stacks. At the time, there was no evidence of any tampering with Client Hello or any other fingerprint component.
Things changed in September 2018, when the researchers first noticed TLS tampering carried out via cipher randomization across several verticals. And as already mentioned earlier in the article, towards the end of February the TLS tampering jumped nearly 20% to 1,355,334,179 billion.
This growth makes the ability to have deep visibility into the Internet’s traffic more important than ever, the researchers concluded.