‘Criminal IP’, a cyber threat intelligence platform of AI Spera


AI Spera, a cyber threat intelligence company, has revealed detection and analysis data about 8,900 attack logs on Log4j (Log4Shell) vulnerabilities (CVE-2021-44228) through its own threat intelligence platform ‘Criminal IP’.

Since domestic and foreign security industries have yet to perfectly respond to Log4j vulnerabilities, it is expected that the attempted attack IP address database provided by AI Spera in conjunction with official patches will prove to be useful for corporate, institutional and national security countermeasures. In particular, our revealed data includes ▲ national statistics ▲ASN statistics ▲ attack log analysis ▲ threat rating of IP addresses that attempted such attacks, which warrants potential hacking defense through blocking IP address that capitalize on Log4j vulnerabilities.

AI Spera update attack IP address data collected by Criminal IP on a daily basis and provide free of charge for securities personnel who are still grappling with the log4j issue. If you contact support@aispera.com, we deliver the latest updated data of the attack IP address so that institutions and companies will be able to secure necessary data to cope with the Log4j attack.

The following is the result of data analysis conducted throughout five days starting from December 14th, (14 days, 18 days, 20 days, 21 days, 22 days consecutively) based on what was collected through Criminal IP, AI Spera’s IP intelligence system,


■ Log4j Vulnerability Attack Statistics

As shown in the table below, the attack log increased about 2.45 times from 963 cases on the 14th to 2,357 cases on the 18th, which demonstrates how the attack methods have become more widespread with increasing instances of search for potential targets over the course of time. However, despite the fluctuations in the number of attacks, it has been confirmed after removing overlapping IP addresses that the unique IP addresses decreased thrice from 245 cases on 12/14 to 65 cases on 12/8 and averaged out at about 50-60 number of cases.

Although a total of 381 unique IP addresses have been detected, 107 IP addresses out of them were shown to attempt continuous attack. To wit, these recurring IP addresses can be viewed as originating from servers that run on automatized attack script. Accordingly, it is highly recommendable for companies using Log4j related services to block these suspicious IP addresses in advance.

Log4j Vulnerability Attack Log Statistics collected through Criminal IP


■ Country statistics

According to statistics sorted by country, 39 out of a total of 381 cases were country-specific with America, Germany, and China respectively topping the chart with other 5 highly ranked countries accounting for as much as 84%. China, recognized by most people as a dangerous IP source country, was also included in the rankings along with the United States, a country commonly identified as an attack scanner IP originator.

Country-specific statistics of Log4j attack IP addresses collected via Criminal IP


■ Tor IP

In addition, it was noted that a percentage of Tor IP addresses were included in the attack IP address data. In addition to being used as a browser, Tor, which has become famous for its dark web, also supports scripts and APIs such as Python, C#, and Go languages, so in numerous cases hackers perform scanning by embedding Tor to codes to execute their attacks. Among the IP addresses used in this log4j attack were also identified actual cases employing the Tor IP addresses. Since Tor IP addresses are often used for attacks, it is recommended to block inbound IP addresses entering in the form of Tor IP addresses in advance.

The Criminal IP search result screen of the actual IP address that attacked the Log4j vulnerability. It is marked as using the Tor IP.


■ Hackers are not the only ones attacking

The following are statistics on ASN Name and Org Name considered as IP address owners. If you look at ASN Name in the United States which has the largest number of attack IP addresses, it is estimated that most of them are hosting or ISP companies that create cloud servers or hosting servers to scan and perform cyber attacks. Especially DigitalOcean servers are conspicuous, which shows that in the past there were frequent hacking attempts in cloud servers such as AWS, which has significantly declined over the recent years with more other hosting server names replacing its place.

Even if it is not a hosting company, an attack was attempted from the Massachusetts Institute of Technology, which could also have been performed by dormitory students purely out of curiosity or either carried out for research purposes in laboratories. Taking a closer look at the ASN name and Org name of the attacker IP address, the latter cases seem to be more plausible. The Org name revealed two IP addresses respectively originated from the Computer Science and Artificial Intelligence University laboratory as well as MIT’s Vice president for Information systems and Technology that go by the system name (Mark Silis). Additionally, IP address of a security testing company named ESecurity was revealed. It follows that not all attacker IP addresses are necessarily traced back to hackers because cases of scannings are also being found in various cybersecurity research institutions.

Classification according to AS Name and Org Name of Log4j Attack IP Address


■ Diversification of attack packets

Various patterns were revealed upon close scrutiny of attack packets. The initial attack style is as follows and is usually characterized by entering a specific value into the User-agent, which is in fact one-dimensional scanning method. Since it is a fairly simple method, the pattern or signature to detect them are rapidly distributed to enable their prompt blockage. Therefore, an increasing number of hackers carry out attacks by circumventing such known method.

The shape of the packet, which is widely used in a bypass method, is as follows. It can be of immense help in creating IDS/IPS signatures.


■ Confirmation in IP Intelligence

Finally, Criminal IP classifies threat ratings for all IP addresses around the world according to 5-step scoring criteria (Safe, Low, Moderate, Dangerous, Critical), and it was confirmed that 87.1% of all IP addresses were classified as Dangerous/Critical. Namely, it can be reasonably assumed that about 87.1% of IP addresses performing log4j attacks have already attacked other agencies or that malicious IP addresses are repeatedly used in similar attacks. Therefore, if you use our Criminal IP intelligence System to receive dangerous IP address data and block incoming IP addresses beforehand, this will be of immense help in mitigating potential log4j attacks.

Level 5 threat rating of Log4j attack IP addresses classified in Criminal IP


■ “If you obtain and block the attack IP address in advance, you can alleviate the hacker’s scanning attack.”

As log4j attacks surface more publicly, it is also noted that the types of attackers and methods are becoming ever more diversified. In particular, hackers are assembling and transmitting newly devised attack packets in order to avert IDS/ IPS signatures. Therefore, if the attack IP address is obtained and blocked in advance, the scanning attack of hackers can be significantly precluded. Since Tor IP addresses are also used to bypass attacks, blocking Tor IP addresses can help you timely respond to attacks.

Furthermore, if you link up IP addresses blockage using the IP intelligence system, it saves you the trouble of having to collect new IP addresses and facilitates automatic response whenever a hacker changes IP addresses and scans them. Originally IDS/ IPS signatures were used to cope because IP addresses were known to continuously change, but recently the attack packets transform themselves too often, which eventually led to a natural reversion towards the former IP address blockage method. This is basically a regressive security process through which IP intelligence system obtains and registers in advance candidate IP addresses that carry out cyber attacks.

Additionally reported were other cases where ASN Name or Org name are merely checked and attacks are initiated for testing/security check purposes. In this case, the IP address does not necessarily need to be blocked, but if it is suspected that even a mock attack could compromise a company’s internal assets, contacting the scanning agency and asking them to remove it from the scanning process is another option.

Also, if the IP intelligence detects ASN Name or Org Name and finds it sending attack packets to not cloud servers or hosting servers but to general operations unrelated to cybersecurity such as manufacturing companies and medical facilities, the scanning in question is in all likelihood not for research purposes but being utilized by hackers after the company server has been infiltrated. Accordingly, it is desirable for the national instigation and investigative bureau to regularly monitor whether cyber attacks are escaping their notice.

This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!