Billions of Malicious Bot Attacks Take to Cipher-Stunting to Hide

May 22, 2019
Cipher Stunting

Threat Summary

There has never come a time when TLS signature become focal point of target by malicous actors. Since cipher stunting is fairly new in the threat landscape, and now prevailing as a new vector to be exploited. This approach is found to be the latest evasive technique and more predominately used that reached up to a billion instances  as the attackers typically get around fingerprinting by randomizing SSL/TLS signatures, the researchers noted. Cipher stunting is different because it randomizes the encryption cipher instead, in order to change the TLS fingerprint.

Vector Analysis

The very advancement of cipher stunting sit actively tries to obfuscate the initial phase of handshake and exploit fingerprinting and attack directly aim toward airlines, banking and dating websites, which are often targets for credential stuffing attacks and content scraping. Few more distinctions are stated below:

  1. It modifies the fingerprint of communications encrypted with secure sockets layer (SSL) and transport layer security (TLS).
  2. Java-based tool is known to have been used to carry out the attack.
  3. It utilizes asymmetric encryption – were two separate keys are used, one public and one private.
  4. Setback regarding the visibility of the Actual payload of the packet because SSL/TLS used asymmetric encryption, fraud solution should be equipped outlining traffic as cipher stunting takes place on the application of the OSI layer.

The Standard SSL Handshake

The following is a standard SSL handshake when RSA key exchange algorithm is used:

  1. Client Hello

Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher settings, session-specific data.

  1. Server Hello

Information that the server needs to communicate with the client using SSL. (Same inclusion listed above)

  1. Authentication and Pre-Master Secret

Client authenticates the server certificate. (e.g. Common Name / Date / Issuer) Client (depending on the cipher) creates the pre-master secret for the session, Encrypts with the server’s public key and sends the encrypted pre-master secret to the server.

  1. Decryption and Master Secret

Server uses its private key to decrypt the pre-master secret. Both Server and Client perform steps to generate the master secret with the agreed cipher.

  1. Encryption with Session Key

Both client and server exchange messages to inform that future messages will be encrypted.


Cyber criminals will use all possible ways and innovate new tactics to avoid detection and keep their malicious schemes going,” researchers said. “The ability to have deep visibility over time into the Internet’s traffic comes into play when dealing with these evolving evasion tactics.

About the author

Leave a Reply