Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide

bad bot fingerprinting cipher stunting

Attackers have been tampering with TLS signatures at a scale never before seen using a technique called cipher-stunting.

When it comes to cyberattacks, adversaries are focusing not just on advanced malware development, but also on increasing the sophistication of their evasion techniques. This is playing out lately in the form of ballooning instances of “cipher stunting” – a TLS tampering technique that helps malicious bot activity masquerade as live human traffic on the web.

The idea is to avoid the web client fingerprinting technologies that help security tools and human analysts to differentiate between legitimate clients and impersonators/bots. The latter are often used in credential-stuffing attacks on login pages, for committing ad fraud, automated vulnerability scanning, credential-scraping and more.

Website traffic is usually carried out via HTTPS or HTTP over SSL/TLS, the most common encrypted network traffic protocols. Fingerprinting generally maps SSL/TLS handshakes and the information provided during those handshakes by the client, which is presented in the form of a “ClientHello” message. This contains the protocol version, a list of supported cipher suites used and other data. By building a real-time snapshot of the user-agent (client) that’s connecting to a website, defense mechanisms are able to evaluate that user-agent in order to spot suspicious bot activity.

According to research by Akamai, shared with Threatpost in advance of posting on Wednesday, attackers have been tampering with TLS signatures at a scale never before seen in order to get around these defenses, using the cipher-stunting approach.

In fact, Akamai said that activity has ramped up to the tune of 1,355,334,179 billion instances of tampering as of the end of February 2019. That’s a jump of nearly 20 percent from the beginning of October, just after cipher stunting appeared on the scene – back then, observed instances of tampering clocked in at just 255 million instances.

Attackers typically get around fingerprinting by randomizing SSL/TLS signatures, the researchers noted. Cipher stunting is different because it randomizes the encryption cipher instead, in order to change the TLS fingerprint.

“But in early September 2018, we started observing TLS tampering via cipher randomization across several verticals,” they noted in a note Wednesday that Akamai shared with Threatpost. “Those responsible are presenting a randomized cipher suite list in the Client Hello messages, that in turn, randomize the hashes at the end. This is due to the relatively small and finite set of the SSL/TLS stack implementations available today. Each one allows for a different level of user intervention and customization of the SSL/TLS negotiation.”

Moshe Zioni, an Akamai researcher, told Threatpost that what makes cipher stunting so advanced is the fact that it’s tactic that actively tries to obfuscate the way to fingerprint and detect it.

“Other techniques are mostly aware of time-based jittering/complications and application-layer obfuscation,” he told Threatpost. “Less on the network fingerprint, and second, taking into account that not everyone has visibility into the actual payload of the packet because of SSL/TLS asymmetric encryption nature. It takes some players out of the game for detecting those malicious actors (practically leaves them for IP-based whack-a-mole).”

The analysis showed that many of the tampering instances are directed toward airlines, banking and dating websites, which are often targets for credential stuffing attacks and content scraping.

Looking further at the attacker behavior across customers, the firm determined “with a high degree of certainty that the cipher stunting has been carried out by a Java-based tool” – a development that could signal additional increases in use of the technique, if the tool becomes widely available to cybercriminals.

“The TLS fingerprints that Akamai observed before cipher stunting was observed could be counted in the tens of thousands,” the researchers said. “Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.” They added, “The traffic observed pushing many of the TLS changes with Client Hello came from scrapers, search and compare bots, and more.”

The analysis also worryingly showed that the majority (82 percent) of the malicious traffic (including application attacks, web scraping, credential abuse, etc.) that Akamai witnesses is carried out using secure connections over SSL/TLS – and now with the use of advanced techniques like cipher stunting, more of that traffic will be flying under the radar.

“The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going,” researchers said. “The ability to have deep visibility over time into the Internet’s traffic comes into play when dealing with these evolving evasion tactics.”

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles