Digital attackers are using a new technique called “cipher stunting” to improve the chances of their campaigns evading detection. And the use of this nefarious technique has skyrocketed over the past few months.
According to Akamai, bad actors began using this tactic in early 2018. They’ve since leveraged the approach, which involves randomizing SSL/TLS signatures, to target airlines, banking institutions and dating websites.
The content delivery network (CDN) discovered the approach by relying on its fingerprinting experience within the context of an SSL/TLS negotiation. Fingerprinting this type of connection is useful, as security researchers can use it to differentiate between legitimate users and attackers. Towards this end, Akamai decided to specifically focus on the “Client Hello” message that a client must send to a server in cleartext in order to initiate an SSL/TLS handshake.
Overall, Akamai found that the use of cipher stunting jumped abruptly in the summer of 2018.
In August, the CDN discovered 18,652 distinct fingerprints globally. Several of those fingerprints were present in 30 percent of Internet traffic, with most resulting from web browsers. There was no evidence of “Client Hello” tampering at that time.
That changed a month later. By then, Akamai began seeing numerous tampering attempts across several different verticals. In many of those cases, malefactors used a Java-based tool to present a randomized cipher suite in the “Client Hello” messages that randomized the hashes at the end.
These tampering numbers skyrocketed to 255 million by October 2018. By February 2019, they had grown to over a billion at 1,355,334,179.
Reflecting on these findings, Akamai doesn’t discount the ingenuity of digital criminals for a second. As quoted in its research:
“The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going. The ability to have deep visibility over time into the Internet's traffic comes into play when dealing with these evolving evasion tactics.”
To defend against Client Stunting, organizations should consider investing in a monitoring tool that can use historical data to monitor evasive attacks, including those involving TLS/SSL connections. Organizations should also take the added step of bolstering the security of their encryption assets so that bad actors can’t use them in their attack campaigns. With that in mind, organizations should look to a tool that can automatically monitor their entire encryption environment for signs of misuse.