Skip to main content
banner image
venafi logo

Digital Attackers Using New ‘Cipher Stunting’ Technique to Evade Detection

Digital Attackers Using New ‘Cipher Stunting’ Technique to Evade Detection

cipher stunting
August 6, 2019 | David Bisson

Digital attackers are using a new technique called “cipher stunting” to improve the chances of their campaigns evading detection. And the use of this nefarious technique has skyrocketed over the past few months.

According to Akamai, bad actors began using this tactic in early 2018. They’ve since leveraged the approach, which involves randomizing SSL/TLS signatures, to target airlines, banking institutions and dating websites.


The content delivery network (CDN) discovered the approach by relying on its fingerprinting experience within the context of an SSL/TLS negotiation. Fingerprinting this type of connection is useful, as security researchers can use it to differentiate between legitimate users and attackers. Towards this end, Akamai decided to specifically focus on the “Client Hello” message that a client must send to a server in cleartext in order to initiate an SSL/TLS handshake.


Source: Akami

Overall, Akamai found that the use of cipher stunting jumped abruptly in the summer of 2018. In August, the CDN discovered 18,652 distinct fingerprints globally. Several of those fingerprints were present in 30 percent of Internet traffic, with most resulting from web browsers. There was no evidence of “Client Hello” tampering at that time.


That changed a month later. By then, Akamai began seeing numerous tampering attempts across several different verticals. In many of those cases, malefactors used a Java-based tool to present a randomized cipher suite in the “Client Hello” messages that randomized the hashes at the end.


These tampering numbers skyrocketed to 255 million by October 2018. By February 2019, they had grown to over a billion at 1,355,334,179.


Reflecting on these findings, Akamai doesn’t discount the ingenuity of digital criminals for a second. As quoted in its research:


“The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going. The ability to have deep visibility over time into the Internet's traffic comes into play when dealing with these evolving evasion tactics.”


To defend against Client Stunting, organizations should consider investing in a monitoring tool that can use historical data to monitor evasive attacks, including those involving TLS/SSL connections. Organizations should also take the added step of bolstering the security of their encryption assets so that bad actors can’t use them in their attack campaigns. With that in mind, organizations should look to a tool that can automatically monitor their entire encryption environment for signs of misuse.


Keep your encryption assets safe from digital attackers.




Related posts

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more