Attackers don’t want to get caught. Evading detection ensures they can keep working on their goal—such as making money or causing damage. Researchers have seen a recent spike in fingerprints for Transport Layer Security connections, as attackers tamper with Web traffic encryption to make malicious bot activity look like live human traffic.
Called Cipher Stunting, this technique is based on SSL/TLS signature randomization and changes with the “fingerprints” of encrypted Web traffic, Akamai said in its analysis. Where there used to be “tens of thousands” unique fingerprint variants, that number jumped to more than a billion within a span of six months, Akamai researchers said.
The boom in encrypted Web traffic means that attackers are also driving their malicious activity through encrypted connections—Akamai said 82 percent of malicious traffic such as web application attacks, web scraping, and credential abuse, use SSL/TLS. This has led many companies, Akamai included, to fingerprint connections to “differentiate between legitimate clients and impersonators, proxy and shared IP detection, and TLS terminators.”
An encrypted connection begins with an initial handshake request—known as the Client Hello packet—which contains information such as the type of encryption software being used, browser, operating system, and how the encryption package is configured. Akamai creates fingerprints based on the information stored in the Client Hello about the TLS version, the session ID, cipher-suite options, and extensions and compression methods being used.
"The TLS fingerprints that Akamai observed before Cipher Stunting was observed could be counted in the tens of thousands. Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions," said Akamai.
Akamai saw spikes in distinct fingerprints in August 2018 with 18,652 distinct fingerprints globally, and the number had climbed to 255 million by the end of October and more than 1.3 billion instances by February 2019. Several of the fingerprints observed in April covered more than 30 percent of all Internet traffic and were attributed mostly to common browser and operating system TLS client stacks.
The change is on a "scale never seen before by Akamai," the company said.
While researchers initially did not see any attempts to tamper with Client Hello or any other fingerprint component, they started seeing TLS tampering via cipher randomization across several verticals including airlines, banking, and dating websites by September.
While it is possible that the increase in the number of variations could be because of some software changes in the OS, browser, or encryption software, it is even more likely that attackers are randomizing the signatures. Since the set of SSL/TLS stack implementations are relatively small, attackers are submitting a randomized cipher suite list in Client Hello to randomize the resulting hash. This way, a single machine or a network can look like millions of devices.
Akamai observed that the randomization technique was often used in credential-stuffing attacks against login pages, where attackers attempted to use credentials stolen from other sources.
While tweaking SSL/TLS client behavior can be “trivial” for some aspects of fingerprint evasion, Akamai said the difficulty level can ramp up quickly for other types of evasion since the attacker would need to understand how these packages work. Researchers determined “with a high degree of certainty that the cipher stunting has been carried out by a Java-based tool” which could mean that more attackers would be able to start using the techniques as they get their hands on the tool.
“The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going,” researchers said.