{"msupdate": [{"lastseen": "2021-04-13T19:38:28", "bulletinFamily": "microsoft", "cvelist": [], "description": "A security vulnerability exists in Microsoft Outlook 2010 32-Bit Edition that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.", "edition": 1, "modified": "2021-04-13T17:00:00", "id": "MS:B5DDE899-B600-4700-A3D6-D3BEECD0FF8D", "href": "https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=b5dde899-b600-4700-a3d6-d3beecd0ff8d", "published": "2021-04-13T17:00:00", "title": "Security Update for Microsoft Outlook 2010 (KB4493185) 32-Bit Edition", "type": "msupdate", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-04-13T18:27:45", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-ZDbOBCrXCdU/YHV49tz28-I/AAAAAAAAA9U/t8xs8R1XaxsRqbpg2YOEz-zwikYzLYigACLcBGAsYHQ/s0/hack.jpg>)\n\nThe [SolarWinds attack](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), which succeeded by utilizing the [sunburst malware](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>), shocked the cyber-security industry. This attack achieved persistence and was able to evade internal systems long enough to gain access to the source code of the victim.\n\nBecause of the far-reaching SolarWinds deployments, the perpetrators were also able to infiltrate many other organizations, looking for intellectual property and other assets.\n\nAmong the co-victims: US government, government contractors, Information Technology companies, and NGOs. An incredible amount of sensitive data was stolen from several customers after a trojanized version of SolarWinds' application was installed on their internal structures.\n\nLooking at the technical capabilities of the malware, as you will see, this particular attack was quite impressive. A particular file, named _SolarWinds.Orion.Core.BusinessLayer.dll_ is a SolarWinds digitally signed component of the Orion software framework.\n\nThe threat actors installed a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called \"Jobs,\" which includes the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.\n\nSo how could one protect the organization from Sunburst or a similar attack? Supply chain attacks have the advantage of establishing an initial foothold under the guise of a trusted 3rd party. But that's where the distinction ends; from there on, they progress like any other attack, and they can be detected if we know where to look. \n\n**Developing SIEM rules, using the SolarWinds attack as an example**\n\nLet's start with Sigma rules; these create a sort of a common language to create and share quality queries regardless of the SIEM your organization uses. The [Cymulate](<https://cymulate.com/?utm_source=PaidPR&utm_campaign=HackerNewsQ2-2021>) platform will produce Sigma Rules for you to download these queries to your SIEM. This will enable Security Operations teams to build out the elements needed to detect future attacks. As you can see below in the 3 examples, the Sigma Rule is the same, yet the custom query is specifically for that SIEM's language. At the click of a button, you can switch to your preferred SIEM.\n\nExample 1: Splunk: \n\n[](<https://thehackernews.com/images/-2IMblMaOei8/YHV0ADMjEWI/AAAAAAAAA8M/pG-I0qFcdRIr_PO7MDhom0RCJWxDhkljwCLcBGAsYHQ/s0/1.jpg>)\n\nExample 2: Qradar:\n\n[](<https://thehackernews.com/images/-iMIEyQdCxHs/YHV0AwOIRpI/AAAAAAAAA8U/M9pPCHmJY2k4i5Tn8Z0kDBdh7wUig7UkwCLcBGAsYHQ/s0/3.jpg>)\n\nExample 3: Azure Sentinel:\n\n[](<https://thehackernews.com/images/-maEvLf3Da_E/YHV0Amoq8mI/AAAAAAAAA8Q/F4LUEy7ycs87i5od_yV5QsWmzYVUry2AACLcBGAsYHQ/s0/2.jpg>)\n\nAlthough Sigma rules are designed mostly for queries, one can use them to build a full anti-attack-chain SIEM or EDR rule. In the case of the SolarWinds Sunburst attack and many other attacks, Cymulate Sigma Rules are queries that search for the IOBs of the attack. Each sigma rule will query the SIEM for an IOB of one stage of the attack.\n\nWhen the IOBs from the sigma rules are combined, they can result in a specific rule for the target system \u2013 something that can, with a high degree of confidence, point out the attack without \"inventing the wheel\" all over again. All the required IOB's are in place \u2013 in the Sigma rules \u2013 you just need to reach out your hand and take them.\n\nLet's look at the specific case of a recreated SolarWinds attack on the Windows platform and hunt it together.\n\n## Hunting SolarWinds on Microsoft Windows\n\nThe Cymulate Platform provides us the capability to replicate the supply chain attack, which starts with an Exchange server mailbox export. The subsequent stages of the attack, available in the Cymulate platform to simulate the attack, can be seen in the screenshot.\n\nThe first event will not get any trigger by Windows, but it will be written in various network logs. Since the event itself cannot be very specific, we will leave it as optional for placement in a general rule. Let's continue.\n\n[](<https://thehackernews.com/images/-M1gSTkgheTo/YHV04F3_1QI/AAAAAAAAA8k/1H0ZSPDTb3kVK7NG8lOKmmZGhuEW5C67QCLcBGAsYHQ/s0/4.jpg>)\n\nThe next event in the attack is downloading content with PowerShell. Such an event can be monitored with Windows Event IDs 4103 and 4104, which can also show the actual code being run, but we don't want to limit ourselves to a specific method because, let's face it: PowerShell is not the only tool an attacker can use.\n\nWhat is common to all tools is that while downloading content, an object is created in the system, and for that, there is a Windows Event ID 4663 with an indicator of Access mask 0x1 or, if you use Sysmon, Event ID 11.\n\nBelow is a general screenshot of a 4663 Event ID with the relevant fields highlighted. This is the event that the Cymulate Sigma rule detects, and it is also the first IOB in the rule that we will create. You can find more on this Event ID [here](<https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663>).\n\n[](<https://thehackernews.com/images/-lx1rd0O0H8o/YHV087SRXYI/AAAAAAAAA8o/uVpeOehduQwNeIdsJeXjTg5PE5NpOUdgwCLcBGAsYHQ/s0/hack.jpg>)\n\nNext in line is the next stage in the attack: _Task Scheduler: Masquerading Tasks triggered on the windows lock screen for lateral movement. _Once again, it is irrelevant exactly which Tasks are being masqueraded; what is important is that there are Windows Event ID's that can help us identify this chain of events.\n\nThe Event ID's are:\n\n> 4698 - task created\n> \n> 4700 - Scheduled task enabled.\n> \n> 4702 - Scheduled task updated.\n> \n> 4699 - Scheduled task removed.\n\nWhat is relevant for us is, of course, is 4698 as this will pop up when a new task is created. Events of updating, enabling and/or removing a task are a good enhancement but optional. Personally, I would recommend adding an option of 4699, since there is always a possibility that the attacker would like to remove the task after completion to cover his tracks.\n\nSo, what we will want for minimal requirements is 4698 with a set of specific regexes in the \"Command\" field in the event, that match known executable types for example:\n\n> \\- '.exe' - '.py - '.ps1' - '.msi - '.msp' - '.mst' - '.ws' - '.wsf' - '.vb' - '.vbs' - '.jst' - '.cmd' - '.cpl'\n\nFor complex cases, regular expressions, such as those below, can be used: \n\n 1. \\- '^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$' \n 2. -'^([A-Za-z0-9 \\/]{4})*([A-Za-z0-9 \\/]{3}=|[A-Za-z0-9 \\/]{2}==)?$'\n\nPay special attention to the last two IOBs (regexes): these match a base64 pattern. Although \"Scheduled Task\" receives a string as an input, it is possible to write in it an obfuscated/encrypted form of a command. For example, \"python\" as command and \"base64.b64decode(_some base64 payload_)\" as an argument, thus effectively making your task into \"decoding base64 payload\" tool.\n\nOnce again, all the indicators can be found in the Sigma Rules supplied by Cymulate. We will call this list and other upcoming lists of IOB's just \"relevant IOB list\" for the purpose of convenience. Below is the general view of the 4698 Event ID of creating a new task.\n\n[](<https://thehackernews.com/images/-rth1B19vjDU/YHV1RAuJ5GI/AAAAAAAAA80/2oPqU37Rw586v8ch6ruewKznVU0TZq2xwCLcBGAsYHQ/s0/5.jpg>)\n\nSo, by now, we have covered two events in the chain. These should occur on the same machine and with the same username. After that, the process in your task will be executed, resulting in 4688 Event ID with Creator Process name: TaskScheduler or TaskScheduler.dll or taskeng.exe (depending on the version of build you use), and _New Process Name_ will have one of those IOB's in the executables list. So, at this stage, our Rule looks like this:\n\n> (4663 + Access mask 0x1)\ud83e\udc6a (4698 and relevant IOB list)\ud83e\udc6a (4688+list of relevant Creator Process name + list of relevant IOBs as part of New process Name)\n\nOR\n\n> 4663 + Access mask 0x1 or Sysmon 11)\ud83e\udc6a [(4698 + relevant IOB list) \ud83e\udc6a(4688+(TaskScheduler.dll or taskeng.exe))]\n> \n> The \ud83e\udc6a sign represents \"followed by\" operation\n\nThe next stage in the attack is running DLL file with rundll32. This is a simple IOB, which, by the way, can be run in a previous step as well. In this specific case it is 4688+rundll.32 \n\nNext is _ADFind : Enumerating an AD Group using ADFind Masqueraded as csrss.exe_. This step is a bit tricky. During this step an attacker masquerades his enumerating tool as some legitimate file. However, before this can happen, the illegitimate file has to be written somewhere on one of your drives (preferably in the system folder) with the legitimate name.\n\nIn this specific case it is csrss.exe, but there is quite a large number of file names that could be used for the same purpose for example:\n\n> \\- 'svchost.exe'. - rundll32.exe. - services.exe. - powershell.exe. - regsvr32.exe. - spoolsv.exe\n> \n> \\- lsass.exe. - smss.exe. - csrss.exe. - conhost.exe. - wininit.exe. - winlogon.exe. - explorer.exe\n> \n> \\- taskhost.exe. - Taskmgr.exe. - sihost.exe - RuntimeBroker.exe - smartscreen.exe. \n\nAgain, no need to search for all of them, they are already supplied in the relevant Sigma rule.\n\nBelow is an example of one possible Sigma rule for this specific step, which detects creating a file with one of the specified above names. But with a hash that is different from the original. Whether overriding a system file or creating a new path, it will still result in a 4663 Event ID (or Sysmon Event ID 11), and one of the names below will be found in the payload. \n\n[](<https://thehackernews.com/images/-2n_X_ZJeOE8/YHV1ugMQPLI/AAAAAAAAA88/e0X979HIsy0b4OhxNPwq5EAgk3ort_Y9QCLcBGAsYHQ/s0/6.jpg>)\n\nWorking with System files also requires privileged access, so there inevitably will be privilege escalation, which is also documented as 4688 Event ID (file access) and Token Elevation Type of %%1936 or %%1937, which are types for system and administrator access respectively.\n\nBelow is a screenshot of the 4688 Event ID with relevant fields highlighted.\n\n[](<https://thehackernews.com/images/-CQtK-jAdvUs/YHV17Ld6ruI/AAAAAAAAA9A/TiRvJ5H3oZAQtPFs-iK9aGCYnr5MBD09QCLcBGAsYHQ/s0/7.jpg>)\n\nOptionally you could search for 4672 Event ID with any of the privilege escalation strings, but the event of privilege escalation can happen at any step in the attack. We recommend a separate rule for this, which should be correlated with the rule we are building.\n\nLet's take a look at our rule at this stage: \n\n> (4663 + Access mask 0x1 or Sysmon 11)\ud83e\udc6a [(4698 + relevant IOB list) \ud83e\udc6a(4688+(TaskScheduler.dll or taskeng.exe)) \ud83e\udc6a (4688 and rundll32) \ud83e\udc6a (4663 or Sysmon 11 + generic list of system files) \ud83e\udc6a (4688 and 1 of files in list and Token Elevation Type (%%1936 OR %%1937))]\n\nThe next step is \"_Execute base64-encoded PowerShell from Windows Registry_\". What happens here is an attacker executes an obfuscated code previously written into a registry value. As you could understand, before he can do this, he needs to create a new registry value or modify an existing one.\n\nA Windows event ID 4657 and a value matching base64 pattern (which can be identified with regexes that we have already seen in a preceding step) can help identify this step. The event can include \"Existing registry value modified\" or \"Creating new registry value\" as the _Operation Type. _All the IOB's, as mentioned before, can be obtained from the supplied Sigma Rules.\n\nThis event can show you other valuable information, such as:\n\n**1) **What key was involved.\n\nThe format is: \\REGISTRY\\HIVE\\PATH where:\n\nHIVE:\n\n * HKEY_LOCAL_MACHINE = \\REGISTRY\\MACHINE\n * HKEY_CURRENT_USER = \\REGISTRY\\USER\\\\[USER_SID], where [USER_SID] is the SID of current user.\n * HKEY_CLASSES_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes\n * HKEY_USERS = \\REGISTRY\\USER\n * HKEY_CURRENT_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current\n\n \n\n\n**2) **What is the originating process. \n**3) **What is the old value and the new value. \n\n\nBelow you can view a general representation of 4657 Event ID.\n\nTaking into account possible timeframes, since the entire operation will probably be scripted, we can safely say that if successful, steps 2-6 will take no more than 5 seconds. The entire chain until execution of code stored in the registry could be no more than 10 minutes.\n\n[](<https://thehackernews.com/images/-Zrdi1lCrNgU/YHV2KH_NMvI/AAAAAAAAA9I/_CMsepRDV7kVT7gt3sorL8UDmZQttXCGwCLcBGAsYHQ/s0/8.jpg>)\n\nAfter adding those variables, what we have is a chain of events that can be correlated:\n\n 1. It will all originate on one machine.\n 2. It will be started as the same user.\n 3. The operational rule will look like the below:\n\n> {\n> \n> (4663 + Access mask 0x1 or Sysmon 11)\ud83e\udc6a \n> \n> [ (4698 + relevant IOB list) \ud83e\udc6a\n> \n> (4688+(TaskScheduler.dll or taskeng.exe)) \ud83e\udc6a \n> \n> (4688 and rundll32) \ud83e\udc6a\n> \n> (4663 or Sysmon 11 + generic list of system files) \ud83e\udc6a \n> \n> (4688 and 1 of files in list and Token Elevation Type(%%1936 OR %%1937))\ud83e\udc6a (4657 +New value created OR existing value modified+ base64 matching pattern in value in time frame up to 5s)] \n> \n> in time frame of 10 mins\n> \n> }\n\nSo now, if you have built this SIEM or EDR rule, using Cymulate-provided Sigma rules, and you see an alert from it \u2013 there is a good chance you are experiencing the SolarWinds attack right now.\n\nIf you still have your doubt, you can always add some optional stages and enhance them even further by adding two next stages to the rule. These are _Exchange Server Mailbox Export Cleanup_ and _Exchange Exfiltration using basic HTTP Request_, respectively.\n\nEven though Windows doesn't have a built-in Event ID for HTTP/S requests, there will always be {4660 on mailbox\ud83e\udc6a (HTTP request + 4663 of filename.zip/rar/tar/other)}. In order to get an event of HTTP/S requests, additional systems, for example, a network traffic analysis system, can assist here.\n\n## Optimize your Security Operations with Cymulate and Sigma Rules \n\nAs you have seen in the breakdown of this particular attack, you can use IOB's in Sigma Rules. This will help your security operations to challenge, assess, measure, and optimize. This can easily be accomplished by the Cymulate platform in all areas. The steps as shown in this article are meant to help with the optimization and guide through how to prevent a SolarWinds type attack. As you have seen from the Cymulate platform, a scenario, whether it be simple, or complex can assist with optimizing your SIEM or EDR rules. This will enhance your organization's security against the most sophisticated threats with low effort.\n\nGood Hunting to you!\n\nAnd as they say in the Hunger Games, \"may the odds be ever in your favor.\" \n\nThis article was written by Michael Ioffe, Senior Security Researcher at [Cymulate](<https://cymulate.com/?utm_source=PaidPR&utm_campaign=HackerNewsQ2-2021>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-04-13T17:21:31", "published": "2021-04-13T11:01:00", "id": "THN:B02AF37FB992C78513120E5D5B68FBF7", "href": "https://thehackernews.com/2021/04/detecting-next-solarwinds-attack.html", "type": "thn", "title": "Detecting the \"Next\" SolarWinds-Style Cyber Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "rst": [{"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **maverificationsup[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **52**.\n First seen: 2021-04-09T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 23[.]202.231.167,23.217.138.108\nWhois:\n Created: 2020-07-22 06:00:10, \n Registrar: NAMECHEAP INC, \n Registrant: WhoisGuard Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-09T00:00:00", "id": "RST:ECE60863-4700-380B-B6D9-40A51D443734", "href": "", "published": "2021-04-13T00:00:00", "title": "RST Threat feed. IOC: maverificationsup.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **unicornoffshoreinvestments[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 66[.]147.238.208\nWhois:\n Created: 2018-08-25 16:36:20, \n Registrar: PDR Ltd dba PublicDomainRegistrycom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:4508DE3D-4700-3824-A407-B57B5DAEEC7E", "href": "", "published": "2021-04-13T00:00:00", "title": "RST Threat feed. IOC: unicornoffshoreinvestments.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://112[.]72.162.159:4700/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **19**.\n First seen: 2021-01-05T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-05T00:00:00", "id": "RST:8DC83EE8-67C3-3105-B1D4-053912537083", "href": "", "published": "2021-04-13T00:00:00", "title": "RST Threat feed. IOC: http://112.72.162.159:4700/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cykyqrpomfks[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-11-02T03:00:00, Last seen: 2021-04-10T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-02T00:00:00", "id": "RST:045AB735-4700-31CB-A093-23325FE07CCE", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: cykyqrpomfks.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pyg6rtnkq[.]iiniamoca-news.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-11-02T03:00:00, Last seen: 2021-04-10T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-02T00:00:00", "id": "RST:9AF2F1BC-4700-3F7C-9BEC-7097548ADD21", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: pyg6rtnkq.iiniamoca-news.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **hn57f0i-c[.]pheikmajide.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-11-02T03:00:00, Last seen: 2021-04-10T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-02T00:00:00", "id": "RST:9D9C198D-4700-392F-A0EF-15EDA9AA11BC", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: hn57f0i-c.pheikmajide.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **76[.]164.52.102** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-04T03:00:00.\n IOC tags: **generic**.\nASN 23465: (First IP 76.164.51.0, Last IP 76.164.53.255).\nASN Name \"NUTELECOM\" and Organisation \"NUTelecom\".\nASN hosts 226 domains.\nGEO IP information: City \"Prior Lake\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:1CD62747-4700-3EB8-A46B-6EF62BFCAA31", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: 76.164.52.102", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-09T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **117[.]218.245.194** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-11-23T03:00:00, Last seen: 2021-04-09T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 9829: (First IP 117.218.196.0, Last IP 117.219.225.255).\nASN Name \"BSNLNIB\" and Organisation \"National Internet Backbone\".\nASN hosts 3401 domains.\nGEO IP information: City \"Coimbatore\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-23T00:00:00", "id": "RST:AA4FA79A-4700-3377-A830-C4056DD38083", "href": "", "published": "2021-04-10T00:00:00", "title": "RST Threat feed. IOC: 117.218.245.194", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **182[.]155.118.118** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-02-25T03:00:00, Last seen: 2021-03-25T03:00:00.\n IOC tags: **shellprobe**.\nASN 17809: (First IP 182.155.0.0, Last IP 182.155.255.255).\nASN Name \"VEETIMETWAP\" and Organisation \"VEE TIME CORP\".\nASN hosts 223 domains.\nGEO IP information: City \"Taichung City\", Country \"Taiwan\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-25T00:00:00", "id": "RST:14485634-4700-3F75-A22B-E1F19C4550E9", "href": "", "published": "2021-03-26T00:00:00", "title": "RST Threat feed. IOC: 182.155.118.118", "type": "rst", "cvss": {}}, {"lastseen": "2020-11-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **109[.]74.53.248** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **4**.\n First seen: 2020-02-09T03:00:00, Last seen: 2020-11-24T03:00:00.\n IOC tags: **generic**.\nASN 50261: (First IP 109.74.48.0, Last IP 109.74.63.255).\nASN Name \"ACENET\" and Organisation \"\".\nASN hosts 4700 domains.\nGEO IP information: City \"Budapest\", Country \"Hungary\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-09T00:00:00", "id": "RST:E59CF8E9-1349-33D3-AB1A-8BC0DF333F40", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 109.74.53.248", "type": "rst", "cvss": {}}]}
