Cybercriminals are using a new method to evade detection to make sure that the traffic generated by their malicious campaigns is not being detected, a technique based on SSL/TLS signature randomization and dubbed cipher stunting.
The vast majority of malicious traffic on the Internet — including attacks against web apps, scraping, credential abuse, and more — is funneled via secure connections over SSL/TLS says Akamai's Threat Research Team in a report published today.
Akamai's report says that "From an attacker's perspective, tweaking SSL/TLS client behavior can be trivial for some aspects of fingerprinting evasion, but the difficulty can ramp up for others depending on the purpose of evasion or the bot in question. In such settings, many packages require deep levels of knowledge and understanding on the attacker's part in order to operate correctly."
This technique is used by attackers to evade detection and run their malicious campaigns undisturbed, with at least a few tens of thousands of TLS fingerprints being used for such purposes before the novel cipher stunting evasion method was observed by the researchers.
The Unkillable King of Recon: Nmap in the Age of Encryption
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection
Phishing emails increasingly use SVG attachments to evade detection
Microsoft Teams Exploited in Attacks Delivering DarkGate Malware