Cipher Stunting: a new method for evasion of detection mechanisms

A new way, named Cipher Stunting to evasion of detection mechanisms used by Security companies–which is the main goal for cybercriminals –has been discovered by AKamai researchers. This is based on SSL/TLS signature randomization. It first came into existence in early 2018.

“Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai”, the researchers noted.

“The TLS fingerprints that Akamai observed before Cipher Stunting could be counted in the tens of thousands. Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.”

If you analyze the figure, which is 18,652 distinct fingerprints in Aug 2018 and after the TLS campaigns on September last year the number reached to 255 million in October, the huge increase came because of the range of attacks against the airlines, banking and dating websites. Such websites are also the main targets for credentials and content stealing. At the end of Feb this year, the number grew to 1,355,334,179 billion.

Fingerprints is important

“Observing the way clients behave during the establishment of a TLS connection is beneficial for fingerprinting purposes so we can differentiate between attackers and legitimate users. When we conduct fingerprinting, we aim to select components of the negotiation sent by all clients. In the case of SSL/TLS negotiations, the ideal component for fingerprinting is the ‘Client Hello’ message that is sent via clear text, and is mandatory for each handshake.”

Fingeprinting helps in distinguish between legitimate clients and impersonators, proxy and shared IP detection and TLS terminators.

“the traffic observed pushing many of the TLS changes with Client Hello came from scrapers, search and compare bots.”

In August 2018, Akamai observed 18,652 distinct fingerprints globally (0.00000159% of all potential fingerprints). Several of those fingerprints are present in more than 30% of all Internet traffic alone, and are attributed mostly to common browser and operating system TLS client stacks. At the time, there was no evidence of any tampering with Client Hello or any other fingerprint component.

With the TLS tampering carried out via cipher randomization, the things changed as it has mentioned in the article that the figure that on February 2019, the TLS tampering jumped nearly 20% to 1,355,334,179 billion from the data that was in September 2018.