The last several days have seen a surge in internet traffic mimicking the IP addresses of big U.S. banks in a possible effort to disrupt the cybersecurity personnel and products that help protect organizations from malicious traffic, according to GreyNoise Intelligence, a company that maps internet traffic.
Bank of America, JPMorgan Chase, and SunTrust are among the banks whose IP addresses are being spoofed to seem like they are conducting broad scans of the internet, GreyNoise said. That large-scale scanning is duping people into thinking that the IP addresses are malicious, GreyNoise founder Andrew Morris told CyberScoop. “There are a lot of people around the internet who are definitely convinced that these are bad IPs,” he said.
Threat intelligence teams in the U.S. financial sector are looking into the issue, sources told CyberScoop.
Morris said the volume of traffic is too low to be a distributed denial-of-service attack. Instead, he suggested, a bad actor could be fooling firewalls and other products into blocking traffic originating from the banks, embarrassing security vendors. The spike in traffic-spoofing started last Friday and was ongoing as of Tuesday evening, according to Morris.
The bank networks that are being spoofed by this traffic are attached. Get the full context using the GreyNoise CLI with the following commands:
# pip3 install greynoise
# greynoise setup -k YOURKEYHERE
# greynoise -q "raw_data.scan.port:636 first_seen:[now-3d TO now]" -o json pic.twitter.com/QHnKfhq1MA
— GreyNoise Intelligence (@GreyNoiseIO) April 22, 2019
Concentrated traffic-spoofing at this scale is unusual, Morris said. “We see spoofed traffic all the time, but we don’t see spoofed traffic with…such an obvious target profile,” he added.
One security researcher shared a list of thousands of IP addresses that were reportedly spoofed to Pastebin, the text-storage site, in an effort to track the campaign.
It is unclear who is responsible for the flood in spoofed traffic.
Some in the cybersecurity industry have criticized the Spamhaus Project, a threat intelligence nonprofit, for reportedly blocking IP addresses that researchers have used to conduct internet scans. Those critics include Packet.Tel, a security-research company that does port scanning. Packet.Tel on Monday said it had nothing to do with the IP spoofing.
“We do not recommend people actually spoofscan IP ranges without consent…” the company tweeted.
Resolving the issue is tedious. Banks have to contact individual vendors that are blocking traffic to tell them they are doing so in error, Morris said, adding that he has been in touch with the affected banks to advise them on the issue.
A JPMorgan Chase spokesperson declined to comment. Representatives of Bank of America and SunTrust did not respond to a request for comment.
On the whole, the incident could be good for product security because vendors could be forced to root out false positives, according to Morris. “This is actually a good thing because [large-scale IP spoofing] is unavoidable,” he said.