Last week, the cybersecurity outfit GreyNoise found hackers were spraying commands designed for printers across the internet. Affected machines then shot out messages advertising a mass printer-hijacking service.
GreyNoise, a firm that monitors the background hum of the internet, found this campaign through the company’s network of nodes in data centres spread across the world, listening 24/7 to whatever hackers, organizations, or researchers are spraying against some of the roughly 4.2 billion publicly routable IP addresses.
Videos by VICE
The internet is a noisy place, after all. Hackers are constantly firing exploits, trying to break into whatever systems they can. Academics and cybersecurity companies are also scanning the internet at large to see what sorts of devices are exposed. But what is actually behind that constant activity? And, if those worried about hackers knew which traffic was banal and could be separated from the targeted, worrying stuff, maybe they could filter out some of the more benign attacks.
GreyNoise, a one-man operation run by founder Andrew Morris is attempting to tackle that issue.
“Anything you put up on the internet, it’s seconds until someone finds it, minutes at the most,” Morris told Motherboard in a phone call. Morris said the company is “trying to take a picture of what is hitting everyone on the internet.”
“[GreyNoise is] trying to tell everybody what to not freak out about.”
GreyNoise’s nodes have the ability to outwardly appear like just about any sort of internet-connected computer, be that an Internet of Things (IoT) device or web server, according to Morris. Morris takes issue with the idea of this being a “honeypot”—a term used to describe devices that are purposefully left exposed to see what attackers might do—because GreyNoise isn’t actively trying to bait hackers. The Virginia-based firm’s nodes don’t look like those from a particular organization, or especially attractive to a hacker, for example. If anything, it wants to blend in like anything else; that way, GreyNoise can work out a base norm for what is hitting everywhere.
From one week to the next, the IPs that were deploying exploits en masse are probably going to look very different, and even more so when going back further in time. So providing a rolling dataset of background traffic on the internet right now may allow customers and researchers to better understand what is actually happening.
According to GreyNoise, much of this hum is going to be malicious. Morris said something like 50 percent of that digital noise comes from various worms, computer programmes designed to infiltrate systems en masse. But, even though you may want to protect your company or institution from those sorts of attacks, knowing that a hacker is hitting everyone with a worm means you’re probably not being targeted specifically; perhaps the hacker is not going to go any further than just trying to automatically exploit your system and move on.
Whereas plenty of companies focus on highly advanced, motivated threats, GreyNoise is “trying to tell everybody what to not freak out about,” Morris said. Clients include large companies, as well as other cybersecurity firms that will want to make sure false positives aren’t being flagged for customers. “We are approached pretty regularly by various governments to help with various government stuff,” Morris added. (He did not elaborate on what that work entails.)
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Morris granted Motherboard access to some of GreyNoise’s dataset. To verify that the data was accurate, Motherboard spoke to HackerGiraffe, a hacker who, in another recent printer-centred campaign, recently fired a mass of commands to printers, telling victims to subscribe to YouTuber PewDiePie. Over the last few days, HackerGiraffe started another flurry of messages doing much the same thing.
Using information HackerGiraffe provided, such as when they started sending the commands, and what ports they tried to communicate with, Motherboard did see a spike in likely connected traffic during the correct time period. Searching through GreyNoise’s data, we also noted a barrage of traffic from various Mirai variants. Mirai is something of an umbrella term now used to describe a similar set of IoT-based botnets.
Kevin Stear, lead threat analyst from cybersecurity company JASK and a GreyNoise customer, told Motherboard he uses the platform to evaluate the proliferation of exploit weaponization; seeing which exploits are being used and at what scale in the wild. He’s also used it to filter out many of the more opportunistic campaigns.
“All of the data that we’re using to collect this information is being literally sprayed around the entire the internet,” Morris added. “We’re just organizing it in a way that makes it cohesive and actually usable.”
Correction: This piece has been updated to correct that Kevin Stear now works for JASK and not RSA Security. Motherboard regrets the error.
Subscribe to our new cybersecurity podcast, CYBER.