Bots Tampering With TLS to Avoid Detection
Researchers at Akamai observed attackers using a novel approach for evading detection. This new technique - which we call Cipher Stunting - has become a growing threat, with its roots tracing back to early-2018. By using advanced methods, attackers are randomizing SSL/TLS signatures in an attempt to evade detection attempts.
Attackers have continued to change the way they operate, adding complexity and sophistication to their evasion techniques as they target businesses like airlines, banking, and dating websites. Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai.
The TLS fingerprints that Akamai observed before Cipher Stunting was observed could be counted in the tens of thousands. Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.
A majority (~82%) of the malicious traffic (including application attacks, web scraping, credential abuse, etc.) Akamai witnesses is carried out using secure connections over SSL/TLS. This number has grown over the last few years, since more web applications have started using SSL/TLS as their default method of data transport.
Observing the way clients behave during the establishment of a TLS connection is beneficial for fingerprinting purposes so we can differentiate between attackers and legitimate users. When we conduct fingerprinting, we aim to select components of the negotiation sent by all clients. In the case of SSL/TLS negotiations, the ideal component for fingerprinting is the 'Client Hello' message that is sent via clear text, and is mandatory for each handshake.
Research around SSL/TLS fingerprinting is not new. In 2009, Ivan Ristić conducted research that focused on the cipher suite list. Later, he wrote an Apache module to passively fingerprint clients based on cipher suites and came up with a signature base that identifies many browsers and operating systems.
In 2012, Marek blogged about additional data that can be taken from other fields, including Client Hello. Additional research was published in 2015, when Lee Brotherston released a set of open source tools for TLS fingerprinting, and Salesforce open sourced their own version of SSL/TLS client fingerprinting named JA3 in 2017, as well as a server fingerprint named JA3S.
All of these fingerprinting mechanisms have been known for some time, and they're found in many security solutions, as well as evasion techniques used by criminals.
The reason fingerprinting exists in the first place is to differentiate between legitimate clients and impersonators, proxy and shared IP detection, and TLS terminators. From an attacker's perspective, tweaking SSL/TLS client behavior can be trivial for some aspects of fingerprinting evasion, but the difficulty can ramp up for others depending on the purpose of evasion or the bot in question. In such settings, many packages require deep levels of knowledge and understanding on the attacker's part in order to operate correctly.
The traffic observed pushing many of the TLS changes with Client Hello came from scrapers, search and compare bots, and more.
In August 2018, Akamai observed 18,652 distinct fingerprints globally (0.00000159% of all potential fingerprints). Several of those fingerprints are present in more than 30% of all Internet traffic alone, and are attributed mostly to common browser and operating system TLS client stacks. At the time, there was no evidence of any tampering with Client Hello or any other fingerprint component.
But in early September 2018, we started observing TLS tampering via cipher randomization across several verticals. Many of the tampering instances were directed toward airlines, banking, and dating websites, which are often targets for credential stuffing attacks and content scraping. By the end of the following October, the TLS tampering had climbed to 255 million. Fast forward to the end of February 2019, and the TLS tampering jumped nearly 20% to 1,355,334,179 billion.
Those responsible are presenting a randomized cipher suite list in the 'Client Hello' messages, that in turn, randomize the hashes at the end. Additional analysis gives us the ability to hone and recognize important implementation details form the attacker. This is due to the relatively small and finite set of the SSL/TLS stack implementations available today. Each one allows for a different level of user intervention and customization of the SSL/TLS negotiation.
By leveraging these SSL/TLS fingerprints, Akamai was able to fingerprint the attacker's behavior across customers, and determine with a high degree of certainty that the Cipher Stunting has been carried out by a Java-based tool.
The key lesson here is that criminals will do whatever they can to avoid detection and keep their schemes going.The ability to have deep visibility over time into the Internet's traffic comes into play when dealing with these evolving evasion tactics.
Akamai has been able to profile well-known client behavior over time and across different scenarios, such as SSL/TLS traffic originating from different operating systems and devices, etc. This historical visibility has allowed us to monitor, track, and mitigate these latest evasion advancements.
Moshe Zioni, Director of Threat Research
Elad Shuster, Security Research Team Leader
Shay Shavit, Senior Security Researcher
Yossi Daya, Senior Security Researcher