Log4j Vulnerability: What Do the IoCs Tell Us So Far?Download PDF
A new vulnerability called “CVE-2021-44228” or “Log4Shell” was detected on 9 December 2021, alerting the cybersecurity community to possible remote code execution (RCE) attacks. WhoisXML API analyzed initial IoC lists to shed light on possible artifacts and connections. Among our findings are:
- Use of dedicated IP addresses: Almost all IP addresses have fewer than 10 resolving domains each, indicating the possibility of being dedicated.
- Top geolocation of the IoCs: A significant number of IP addresses on the IoC list are geolocated in Germany, and the top ISPs are Internet-Research and DigitalOcean.
- 150+ artifacts: Domains and subdomains are resolving to the IP addresses, some of which have been reported “malicious.”
- Text string analysis: Some TLDs and text strings stood out among the connected domains.
- Log4j domain registration trend: 60+ domains and subdomains were added to the DNS within the week following the vulnerability’s detection.
Download the threat research materials containing the data related to the Log4jShell vulnerability now.