“Cipher stuffing modifies the fingerprint of communications encrypted with secure sockets layer (SSL) and transport layer security (TLS).“– Dark Reading
You’ve probably seen one of those espionage or heist thrillers where the agent or villain is able to disguise their finger with another fingerprint to assume someone else’s identity. In real life, the ability to manipulate fingerprinting is a lot tougher than it is in the movies which is why fingerprinting continues to be one of the primary ways that law enforcement and security services prove the identities of people. However, fingerprinting isn’t just limited to classify human identities. It is also utilized by the cyber security industry as well.
A growing amount of web and application-based traffic is encrypted today to protect data from being sniffed, captured, or manipulated. This is a good thing. Unfortunately, encryption is a two-edged sword because hackers can use it to shield their malicious traffic as well. According to Cisco, 70 percent of attacks will use encryption to evade traditional security mechanisms. Because of this, enterprises need a way to classify encrypted traffic sessions to distinguish friend from foe.
TLS fingerprinting is one of the techniques used by industry professionals to identify an application and/or TLS library for user connected sessions. Fingerprinting is performed by extracting specific criteria such as the protocol version, session ID, cipher settings, and session-specific data from the Hello packets that are used within an SSL/TLS handshake. For instance, this handshake is initiated every time a web browser attempts to create a connection. Fingerprinting the identifying characteristics of the client session is made possible because the Hello packet is sent in clear text. By observing how clients behave during the establishment of an encrypted connection, a real-time snapshot or fingerprint can be created to identify that particular user-agent or client. These snapshot fingerprints can be then used to identify malware and malicious applications. Web client fingerprinting technologies also help digital traffic analysts differentiate between legitimate clients and bots that attempt to impersonate human behavior. In recent years, TLS fingerprinting has played an important role in providing network administrators a tool to protect their networks.
How Cybercriminals are Evading TLS Fingerprinting
Recently, a leading content delivery network services provider for media and software delivery and cloud security solutions started noticing a disturbing trend. Theoretically, the number of user connection fingerprints should be fairly finite. However, the number of distinguishable fingerprints has grown exponentially from roughly 19,000 in September of 2018, to over 1.4 billion today. While legitimate application behavior or software defects are partial contributors to the growing fingerprint database, the vast bulk of this recent phenomenon is being attributed to hackers having figured out a way to evade fingerprint identification by randomizing SSL/TLS signatures. Much of this fingerprint manipulation took place in October 2018 when the identified library grew to 255 million in only one month. This technique to change the TLS fingerprint is referred to as Cipher Stuffing. This is similar to another sinister technique called Cyber Stunting, which is used to help malicious bot activity masquerade as live human traffic on the web.
Security analysts are quite certain that a Java-based tool is being used to create these altered signature permutations. By randomizing characters within the client session, hackers can camouflage their sessions at a scale never before seen. While this method of randomizing is quite elementary for hackers in some cases, it can be highly complex in some types of traffic. While security solutions still have the ability to identify suspicious connection requests, the ability to identify specific malware strains is hampered. Analysts have found a strong relationship between these randomization techniques and malicious activity. Many of these tampering instances have been directed at airlines, banking, and dating websites, all of which are regular targets for credential stuffing attacks and content scraping.
Identify Threats for your Enterprise
The sudden proliferation of cipher stuffing is yet another example of how cybersecurity is a moving target. This is because the cat and mouse game between cybercriminals and security defenders never ends as each one tries to outwit the other. Still, Cipher stuffing is not the end-all-be-all for hackers as they will continue to innovate and create new methodologies to evade current day security protocols and tools.