Web intelligence agency GreyNoise reviews that it has been monitoring giant waves of “Noise Storms” containing spoofed web site visitors since January 2020. Nonetheless, regardless of intensive evaluation, it has not concluded its origin and function.
These Noise Storms are suspected to be covert communications, DDoS assault coordination alerts, clandestine command and management (C2) channels of malware operations, or the results of a misconfiguration.
A curious facet is the presence of a “LOVE” ASCII string within the generated ICMP packets, which provides additional hypothesis as to their function and makes the case extra intriguing.
GreyNoise revealed this info hoping the cybersecurity researchers group might help clear up the thriller and uncover what’s inflicting these unusual noise storms.
Traits of the noise storms
GreyNoise observes giant waves of spoofed web site visitors coming from thousands and thousands of spoofed IP addresses from numerous sources akin to QQ, WeChat, and WePay.
The “storms” create huge site visitors directed to particular web service suppliers like Cogent, Lumen, and Hurricane Electrical however keep away from others, most notably Amazon Internet Providers (AWS).
The site visitors primarily focuses on TCP connections, significantly concentrating on port 443, however there’s additionally an abundance of ICMP packets, currently together with an embedded ASCII string “LOVE” inside them, as proven under.
The TCP site visitors additionally adjusts parameters akin to window sizes to emulate completely different working methods, holding the exercise stealthy and tough to pinpoint.
The Time to Dwell (TTL) values, which dictate how lengthy a packet stays on the community earlier than it is discarded, are set between 120 and 200 to resemble practical community hops.
All in all, the shape and traits of those “noise storms” point out a deliberate effort by a educated actor fairly than a large-scale aspect impact of a misconfiguration.
GreyNoise requires assist
This unusual site visitors mimics reputable information streams, and whereas it isn’t recognized if it is malicious, its true function stays a thriller.
GreyNoise revealed packet captures (PCAPs) for 2 latest noise storm occasions on GitHub, inviting cybersecurity researchers to be part of within the investigation and contribute their insights or unbiased discoveries that may assist clear up this thriller.
“Noise Storms are a reminder that threats can manifest in uncommon and weird methods, highlighting the necessity for adaptive methods and instruments that transcend conventional safety measures,” underlines GreyNoise.
You may study extra about these Noise Storms in GreyNoise’s latest Storm Watch video, proven under.