SecLytics Augur Predicts and Protects Against Log4JShell
First reported in early December, the Log4JShell vulnerability (CVE-2021-44228) allows remote code execution on Apache web servers, used by literally millions of applications. The vulnerability was given a 10 (out of 10) on the Common Vulnerability Scoring System (CVSS) scale by the Apache Software Foundation. The vulnerability is also quick and easy to execute. Hackers need only get the application to log a special string to enable remote code execution. Log4J is one of the highest impact hacks ever reported as it affects organizations like Apple, Twitter, Valve, Tencent, and many other major service providers.
Augur Predicted 3 Malicious Log4J IPs
The following IPs, which Augur predicted to be malicious, were confirmed by third-party security companies to have an association with Log4J CVE.
One of the IPs, 45[.]155[.]205[.]233, is linked to Russia and is actively being used to serve payloads to exploit Log4JShell on vulnerable machines. By blocking this IP early, our clients benefited from significant protection from the Log4JShell vulnerability and the devastating impacts it could have on their network.
Augur Blocking in Action
Log4JShell represents a real-life example of how Augur predicts and blocks malicious IPs. 45[.]155[.]205[.]233 was predicted by Augur to be malicious and blocked well ahead of any third-party confirmation. The IP was first confirmed as malicious and related to Log4JShell by third-party security companies on 12/4/2021 - 18 months after Augur predicted and blocked it.
Augur also detected beaconing attempts to this IP starting 12 months ago in December 2020, but our clients were protected six months ahead of the first detected activity on this IP. We’ve confirmed these findings with a number of our clients. This means the vulnerability was operating in the wild a full 12 months before other security companies identified and confirmed it. So by now, the damage to unprotected organizations may be significant.
Augur Threat Actor Profile
Augur has attributed the IPs above to a threat actor profile which includes a much more extensive cyber criminal infrastructure (which Augur also blocks). That infrastructure has been leveraged by Indrik Spider, also known as Evil Corp. According to CrowdStrike, Indrik Spider is a sophisticated eCrime group that has been operating Dridex since June 2014.
Additionally, the profiled criminal infrastructure has been associated with several malware identifiers as depicted in Figure 1.
Proactive Defense for Better Protection
Reactive threat intelligence solutions only protect against documented threats. Augur’s predictive intelligence looks beyond current threats and leverages machine learning and artificial intelligence to model threat actor behavior - Identifying the build-up of attack infrastructure an average of 51 days before an attack launches. And with a false positive rate of less than 0.01%, you can trust Augur’s predictions - as demonstrated in this case, where protection started nearly 12 months before the first attacks launched and 18 months ahead of the first confirmed reports.
Prove It To Me
We get it. These predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture, email us at firstname.lastname@example.org.
Check Out Augur on our Website
You can learn more about how Augur works here and how it solves real-world security problems here.