|
A zero-day vulnerability found in Log4j, a logging library commonly used in Java, was detected on 9 December 2021. The vulnerability known as “CVE-2021-44228” or “Log4Shell” enables attackers to execute codes and access all data on an infected machine remotely. So far, we gathered 46 IP addresses from indicator of compromise (IoC) lists found on Pastebin and IBM. Using various domain and IP intelligence sources, we found essential details to help the security team investigate and mitigate this new vulnerability.
You may download the complete list of IoCs and connected domains related to this threat research on our website. We provide more details about the findings below.
Only one of 46 IP addresses (62[.]210[.].130[.].250) had more than 50 connected domains and is shared by 101 domains, which we did not include. The rest of the IP addresses on the IoC list only have between one and eight connected domains each.
We analyzed the attributes of these IP addresses and determined the most common geolocation and ISPs.
The IoCs belong to 33 IP ranges, according to data from IP Netblocks API. The top IP range 45[.]83[.]64[.]1—45[.]83[.]67[.]255 is responsible for nine of the IP addresses on the IoC list and is managed by Alpha Strike Labs GmbH.
IP Geolocation API revealed that 13 or 28% of the IP addresses are geographically located in Germany while 11% are in Sweden. The U.S. and Russia were indicated as the geolocation of 9% of the IP addresses each, while Great Britain and the Netherlands both accounted for 7%. The rest of the IoCs were distributed across 10 other countries, most of which are in Asia and Europe.
Several of the IP addresses belong to DigitalOcean, Inc. and another ISP called “Internet-Research” with the ASN name Alphastrike-Research, a security research organization.
Other ISPs that appeared multiple times on the list were Foreningen Digitala Fri-Och Rattigheter, Linode, LLC and Hostaway. The rest were divided among 17 other ISPs, the most interesting of which is the Massachusetts Institute of Technology (MIT). The presence of CIA Triad Security LLC is also noteworthy, as the ISP is known to operate IP addresses running Tor exit nodes, virtual private networks (VPNs), and other anonymizing services.
One way to see the digital footprint of attackers is by looking at the domains resolving to the IP addresses. Reverse IP API helped us do that for all the Log4jShell IoCs, leading us to 151 domain and subdomain connections. String analysis revealed the top 10 top-level domains (TLDs), led by .org.
Common text strings used in the domains and subdomains include “disneyplus,” “plesk,” “log4j,” “tor-exit,” “leakix,” and “probe001.”
Some connected domains were deemed unsafe, having been flagged as malicious by a malware check. These domains are:
Since “log4j” is one of the most-used text strings among the connected domains, we wanted to see the volume of domains and subdomains added since the vulnerability was detected. We found some activities, with 38 domains and 32 subdomains registered within one week since it was detected on 9 December 2021.
Log4jShell is still a very new vulnerability, and more IoCs may emerge in the coming weeks. Analyzing IoC attributes and connections can help the security community investigate exploits deeper.
If you’re a cybersecurity researcher or investigator interested in the IP and domain intelligence related to the Log4jShell vulnerability, feel free to contact us.
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign