Skip to main content
banner image
venafi logo

Digital Attackers Using New ‘Cipher Stunting’ Technique to Evade Detection

Digital Attackers Using New ‘Cipher Stunting’ Technique to Evade Detection

cipher stunting
May 20, 2019 | David Bisson

Digital attackers are using a new technique called “cipher stunting” to improve the chances of their campaigns evading detection. And the use of this nefarious technique has skyrocketed over the past few months.

According to Akamai, bad actors began using this tactic in early 2018. They’ve since leveraged the approach, which involves randomizing SSL/TLS signatures, to target airlines, banking institutions and dating websites.

 

Learn more about 5 machine identity risk you’ll want to avoid. Read Machine Identity Protection for Dummies.

The content delivery network (CDN) discovered the approach by relying on its fingerprinting experience within the context of an SSL/TLS negotiation. Fingerprinting this type of connection is useful, as security researchers can use it to differentiate between legitimate users and attackers. Towards this end, Akamai decided to specifically focus on the “Client Hello” message that a client must send to a server in cleartext in order to initiate an SSL/TLS handshake.

Source: Akami

Overall, Akamai found that the use of cipher stunting jumped abruptly in the summer of 2018. In August, the CDN discovered 18,652 distinct fingerprints globally. Several of those fingerprints were present in 30 percent of Internet traffic, with most resulting from web browsers. There was no evidence of “Client Hello” tampering at that time.

That changed a month later. By then, Akamai began seeing numerous tampering attempts across several different verticals. In many of those cases, malefactors used a Java-based tool to present a randomized cipher suite in the “Client Hello” messages that randomized the hashes at the end.

These tampering numbers skyrocketed to 255 million by October 2018. By February 2019, they had grown to over a billion at 1,355,334,179.

Reflecting on these findings, Akamai doesn’t discount the ingenuity of digital criminals for a second. As quoted in its research:

“The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going. The ability to have deep visibility over time into the Internet's traffic comes into play when dealing with these evolving evasion tactics.”

To defend against Client Stunting, organizations should consider investing in a monitoring tool that can use historical data to monitor evasive attacks, including those involving TLS/SSL connections. Organizations should also take the added step of bolstering the security of their encryption assets so that bad actors can’t use them in their attack campaigns. With that in mind, organizations should look to a tool that can automatically monitor their entire encryption environment for signs of misuse.

Keep your encryption assets safe from digital attackers.

 

Learn more about machine identity protection. Explore now.

 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man shrugging his shouldders, torso shot, dressed in business attire

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

Elizabeth Warren image Corporate Executive Accountability Act

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat