Mysterious “Noise Storms” Have Been Hitting the Internet Since 2020 + Bleeping Computer Updates
Unexplained ‘Noise Storms’ flood the Internet, puzzle experts By Bill Toulas September 19, 2024 09:57 AM
Internet intelligence firm GreyNoise reports that it has been tracking large waves of "Noise Storms" containing spoofed internet traffic since January 2020. However, despite extensive analysis, it has not concluded its origin and purpose.
These Noise Storms are suspected to be covert communications, DDoS attack coordination signals, clandestine command and control (C2) channels of malware operations, or the result of a misconfiguration.
A curious aspect is the presence of a "LOVE" ASCII string in the generated ICMP packets, which adds further speculation as to their purpose and makes the case more intriguing.
GreyNoise published this information hoping the cybersecurity researchers community can help solve the mystery and uncover what's causing these strange noise storms.
Characteristics of the noise storms GreyNoise observes large waves of spoofed internet traffic coming from millions of spoofed IP addresses from various sources such as QQ, WeChat, and WePay.
The "storms" create massive traffic directed to specific internet service providers like Cogent, Lumen, and Hurricane Electric but avoid others, most notably Amazon Web Services (AWS).
The traffic mainly focuses on TCP connections, particularly targeting port 443, but there's also an abundance of ICMP packets, lately including an embedded ASCII string "LOVE" within them, as shown below.
ICMP packets containing the "Love" string Source: BleepingComputer
The TCP traffic also adjusts parameters such as window sizes to emulate different operating systems, keeping the activity stealthy and difficult to pinpoint. The Time to Live (TTL) values, which dictate how long a packet stays on the network before it's discarded, are set between 120 and 200 to resemble realistic network hops. All in all, the form and characteristics of these "noise storms" indicate a deliberate effort by a knowledgeable actor rather than a large-scale side effect of a misconfiguration.
GreyNoise calls for help This strange traffic mimics legitimate data streams, and while it's not known if it's malicious, its true purpose remains a mystery. GreyNoise published packet captures (PCAPs) for two recent noise storm events on GitHub, inviting cybersecurity researchers to join in the investigation and contribute their insights or independent discoveries that will help solve this mystery. "Noise Storms are a reminder that threats can manifest in unusual and bizarre ways, highlighting the need for adaptive strategies and tools that go beyond traditional security measures,"underlines GreyNoise.
You can learn more about these Noise Storms in GreyNoise's recent Storm Watch video, shown below.
Mysterious “Noise Storms” Have Been Hitting the Internet Since 2020 September 19, 2024 By Alex Lekander — Leave a Comment
Since January 2020, GreyNoise Intelligence has been tracking a puzzling phenomenon known as “Noise Storms”—massive waves of spoofed internet traffic that continue to perplex cybersecurity experts.
These events, characterized by millions of spoofed IP addresses, are evolving in complexity, posing new challenges to defenders across the globe. Despite ongoing research, the true purpose and origin of these attacks remain shrouded in mystery, with possible connections to covert communication networks, Distributed Denial of Service (DDoS) attacks, or misconfigured routers.
Evolving tactics and potential theories
Noise Storms are primarily composed of TCP traffic targeting port 443 (HTTPS) and ICMP packets, but they notably lack UDP traffic, a common vector in similar attacks. These events exhibit signs of high-level coordination and technical proficiency:
TTL Spoofing: Time to Live (TTL) values are manipulated to mimic legitimate internet hops, typically ranging between 120 and 200.
OS Emulation: TCP packets are crafted to spoof window sizes, mimicking traffic from various operating systems.
Selective Targeting: Recent storms have become more focused, hitting smaller segments of the internet with greater intensity. Notably, they avoid Amazon Web Services (AWS) while impacting providers like Cogent, Lumen, and Hurricane Electric.
While these storms initially seemed like large-scale, indiscriminate attacks, the targeting has grown more refined, suggesting a highly organized actor. This sophistication is coupled with a key discovery: spoofed traffic appears to originate from Brazil, yet further analysis points to obfuscation, potentially masking deeper ties to Chinese platforms such as QQ, WeChat, and WePay. This international connection adds a layer of geopolitical complexity to the case.
The enigmatic “LOVE” message
One of the most perplexing features of the latest Noise Storms is the discovery of the ASCII string “LOVE” embedded within ICMP packets. This seemingly innocent message has confounded researchers, sparking speculation that the storms might be a covert communication channel. The appearance of such a specific, intentional string raises questions about whether these events serve as signals or commands exchanged between entities, hidden in the noise of internet traffic.
GreyNoise’s analysis revealed that the Autonomous System Number (ASN) tied to the ICMP traffic is linked to a Content Delivery Network (CDN) servicing prominent Chinese platforms. This connection has led experts to theorize that the attacks could be attempts to obfuscate the true origin of the traffic. While Brazil is the reported origin, the sophistication and selective targeting imply a more calculated operation, potentially involving state actors or large, organized entities.
This connection with major Chinese platforms raises concerns about the true intentions behind these attacks. Whether it is simply misdirection or part of a broader, coordinated campaign remains to be seen.
GreyNoise has been at the forefront of studying these mysterious Noise Storms for over four years, diligently capturing data and sharing findings with the wider security community. The organization has made packet captures (PCAPs) of the two recent storm events available on GitHub, inviting researchers to help unravel this ongoing enigma. These captures contain samples of the TCP and ICMP traffic observed in recent months, providing a valuable resource for further investigation.
About Alex Lekander
Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors.
The Complete Ethical Hacking Boot Camp offers a practical approach to preparing for specialized cybersecurity positions, particularly in penetration testing and security analysis, and It's also on sale for $44.99 (reg. $143).
A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo."
Microsoft has officially announced that Windows Server Update Services (WSUS) is now deprecated, but plans to maintain current functionality and continue publishing updates through the channel.
Microsoft announced today that Hotpatching is now available in public preview for Windows Server 2025, allowing installation of security updates without restarting.
The Walt Disney Company is reportedly ditching Slack after a July data breach exposed over 1TB of confidential messages and files posted to the company's internal communication channels.
Ukraine's National Coordination Centre for Cybersecurity (NCCC) has restricted the use of the Telegram messaging app within government agencies, military units, and critical infrastructure, citing national security concerns.
Dell has confirmed to BleepingComputer that they are investigating recent claims that it suffered a data breach after a threat actor leaked the data for over 10,000 employees.
Users of macOS 15 'Sequoia' are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers.
A new wave of QR codes has popped up across UK claiming to share a video of a boyfriend who "cheated" on a girl named Emily last night. Clickbaity or genius?
Two suspects were arrested in Miami this week and charged with conspiracy to steal and launder over $230 million in cryptocurrency using crypto exchanges and mixing services.
The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server.
Microsoft is testing a new feature in the Edge browser called the "extension performance detector," which warns you when browser extensions cause performance issues on web pages you visit.
The Tor Project is attempting to assure users that the network is still safe after a recent investigative report warned that law enforcement from Germany and other countries are working together to deanonymize users through timing attacks.
.jfif)
0
No comments:
Post a Comment