In a surprise twist, Bitdefender researchers reported on Friday that after analyzing honeypot data, they found that Western countries such as Germany and the United States were listed as the top sources of the Log4j attacks.
So the threat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets and just because the Bitdefender researchers didn’t see countries commonly associated with cybersecurity threats such as China and Iran at the top of the list does not mean the attacks did not originate there,” said Martin Zugec, technical solutions director at Bitdefender.
The Bitdefender team said in a blog post that its honeypots were attacked 36,000 times from Dec. 9 to Dec. 16; that more than 50% of the attacks are using The Onion Router (TOR) network to mask true country origin; and that based on endpoint telemetry, the top two countries of origin were Germany, at 34%, and the United States, at 26%. Finally, the lead attack targets were the United States at 48%, followed by the United Kingdom and Canada, both at 8%.
"TOR has long been a fundamental part of the dark web because of its ability to hide user identity and activities, so it’s no surprise cybercriminals frequently use it to launch attacks,” Zugec said. “Also the Western countries don’t actively block TOR networks for non-criminal activities and censorship. A large part of the TOR network is based in Germany, France, and the Netherlands."
According to the researchers, their first thought was that the Western countries are known for hosting infrastructure-as-a-service data centers, so many of these attacks were possibly coming from ephemeral virtual machines. The Bitdefender team started looking at Amazon/Azure/Google Cloud Platform regions and source addresses, but only a small percentage of these attacks originated from the leading cloud service providers.
Next, the researchers identified a significant number of source IPs as exit nodes for TOR. After analyzing the unique source IP addresses, more than 50% were identified as TOR exit nodes. The researchers say this means the attackers are using a network of virtual tunnels to stay anonymous and prevent disclosing their origin location.
The researchers said previously that they understood the impact of Log4j was limited to vulnerable servers. This new vector means that anyone with a vulnerable Log4j version on their machine or local private network can potentially browse a website and trigger the vulnerability. The researchers were also clear: At this point there’s no proof of an active exploit.
Jake Williams, co-founder and chief technology officer at BreachQuest, added that WebSockets have previously been used for port scanning internal systems, but this represents one of the first RCE exploits being relayed by WebSockets.
“This shouldn’t change anyone’s position on vulnerability management,” Williams said. “Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”
Finally, on Wednesday, researchers from Praetorian reported that the second Log4j vulnerability made public on Tuesday by the Apace Foundation which said that attackers could launch a denial of service attack also had the potential for attackers to exfiltrate data.