{"rst": [{"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **louissvuittonhandbagss[.]co.uk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:C9187F5A-5380-3701-B355-91D0DA5C1375", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: louissvuittonhandbagss.co.uk", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-01T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **85[.]208.87.84** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-09-06T03:00:00, Last seen: 2021-03-01T03:00:00.\n IOC tags: **generic**.\nASN 46844: (First IP 85.208.85.0, Last IP 85.208.87.255).\nASN Name \"STBGP\" and Organisation \"Sharktech\".\nASN hosts 805602 domains.\nGEO IP information: City \"\", Country \"Russia\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-06T00:00:00", "id": "RST:48182E57-5380-3256-A1EA-121A0F04D931", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: 85.208.87.84", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-01T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **91[.]200.125.75** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2019-11-27T03:00:00, Last seen: 2021-03-01T03:00:00.\n IOC tags: **generic**.\nASN 43312: (First IP 91.200.124.0, Last IP 91.200.127.255).\nASN Name \"ILANAS\" and Organisation \"\".\nASN hosts 25 domains.\nGEO IP information: City \"\", Country \"Ukraine\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-11-27T00:00:00", "id": "RST:41B6CCD8-5380-3C87-81FB-D982138827F6", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: 91.200.125.75", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-01T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **52[.]9.71.221** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-01T03:00:00.\n IOC tags: **generic**.\nASN 16509: (First IP 52.8.0.0, Last IP 52.19.255.255).\nASN Name \"AMAZON02\" and Organisation \"Amazoncom Inc\".\nThis IP is a part of \"**amazon_cloud_ec2**\" address pools.\nASN hosts 14742129 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E5B63230-5380-3AE3-8892-5DC0AB261C09", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: 52.9.71.221", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ntennt[.]cricket** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 23[.]202.231.167,23.217.138.108\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:CEF3353A-5380-3672-B49C-92766FD4BF1D", "href": "", "published": "2021-03-02T00:00:00", "title": "RST Threat feed. IOC: ntennt.cricket", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **security-services-verifypayee[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **61**.\n First seen: 2021-02-24T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 198[.]54.116.118\nWhois:\n Created: 2021-02-23 17:11:55, \n Registrar: NameCheap Inc, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-24T00:00:00", "id": "RST:F5C532D7-5380-3B90-ACB1-B21F005C734F", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: security-services-verifypayee.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **10x-bitco[.]in** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:91FDFDBB-5380-3318-94F2-749C27F24905", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: 10x-bitco.in", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 play.yo.onvid.cl** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:E4F080A7-5380-36CB-A9D9-7B5D41D059E3", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 play.yo.onvid.cl", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 web.api.bitcoin.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 2008-01-04 14:15:06, \n Registrar: NameCheap Inc, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:C35800A9-5380-35DF-A418-77AD09E751A0", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 web.api.bitcoin.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 seo2.coinww38.coinhive.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 2012-12-01 15:08:00, \n Registrar: ENOM INC, \n Registrant: REDACTED FOR PRIVACY.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:C324DD43-5380-36FA-9EAA-FF0F54B60303", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 seo2.coinww38.coinhive.com", "type": "rst", "cvss": {}}], "ics": [{"lastseen": "2021-02-27T13:45:25", "bulletinFamily": "info", "cvelist": ["CVE-2021-22681"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 10.0**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor:** Rockwell Automation\n * **Equipment: **Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers\n * **Vulnerability: **Insufficiently Protected Credentials\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller\u2019s configuration and/or application code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of Rockwell software are affected:\n\n * RSLogix 5000: Versions 16 through 20\n * Studio 5000 Logix Designer: Versions 21 and later\n\nThe following Rockwell Logix Controllers are affected:\n\n * CompactLogix 1768\n * CompactLogix 1769\n * CompactLogix 5370\n * CompactLogix 5380\n * CompactLogix 5480\n * ControlLogix 5550\n * ControlLogix 5560\n * ControlLogix 5570\n * ControlLogix 5580\n * DriveLogix 5560\n * DriveLogix 5730\n * DriveLogix 1794-L34\n * Compact GuardLogix 5370\n * Compact GuardLogix 5380\n * GuardLogix 5570\n * GuardLogix 5580\n * SoftLogix 5800\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nStudio 5000 Logix Designer uses a key to verify Logix controllers are communicating with the affected Rockwell Automation products. The product is vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Logix controllers.\n\n[CVE-2021-22681](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22681>) has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** United States\n\n### 3.4 RESEARCHER\n\nThe vulnerability was independently co-discovered by Lab. of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and Sharon Brizinov and Tal Keren of Claroty.\n\n## 4\\. MITIGATIONS\n\nRockwell encourages users to combine its specific risk mitigation recommendations with general security guidelines for a comprehensive defense-in-depth strategy.\n\nRockwell recommends users requiring setup or deployment guidance for CIP Security should refer to the deployment reference guide. Users can also refer to [Rockwell Automation\u2019s System Security Design Guidelines](<https://literature.rockwellautomation.com/idc/groups/literature/documents/rm/secure-rm001_-en-p.pdf>) on how to use Rockwell Automation products to improve the security of their industrial automation systems. The authentication vulnerability does not affect CIP Security.\n\nTo reduce risk, Rockwell recommends users ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the [Converged Plantwide Ethernet (CPwE) Design and Implementation Guide](<https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf>) for best practices for deploying network segmentation, as well as broader defense-in-depth strategies.\n\nAdditionally, Rockwell recommends users follow the following risk mitigation and recommended user actions for the following product family and versions:\n\n * ControlLogix 5580 v32 or later: \n * Put controller\u2019s mode switch to \u201cRun\u201d mode.\n * If the above cannot be deployed, the followings mitigations are recommended: \n * Deploy CIP Security for Logix Designer connections through the front port. CIP Security prevents unauthorized connection when deployed properly.\n * If not using the front port, use a 1756-EN4TR ControlLogix Ethernet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security which prevents unauthorized connections when properly deployed.\n * ControlLogix 5580 v31: \n * Put controller\u2019s mode switch to \u201cRun\u201d mode.\n * If the above cannot be deployed, the following mitigations are recommended: \n * Apply v32 or later and follow mitigations actions outlined above.\n * If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.\n * ControlLogix 5570 v31 or later: \n * Put controller\u2019s mode switch to \u201cRun\u201d mode.\n * If the above cannot be deployed, the following mitigations are recommended: \n * Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.\n * ControlLogix 5580 v28-v30, ControlLogix 5570 v18 or later, ControlLogix 5560 v16 or later, ControlLogix 5550 v16, GuardLogix 5580 v31 or later, GuardLogix 5570 v20 or later, GuardLogix 5560 v16 or later, 1768 CompactLogix v16 or later, 1769 CompactLogix v16 or later, CompactLogix 5370 v20 or later, CompactLogix 5380 v28 or later, CompactLogix 5480 v32 or later, Compact GuardLogix 5370 v28 or later, Compact GuardLogix 5380 v31 or later, FlexLogix 1794-L34 v16, DriveLogix 5370 v16 or later. \n * Put controller\u2019s mode switch to \u201cRun\u201d mode.\n * SoftLogix 5800: No additional mitigation available. Follow the [Converged Plantwide Ethernet (CPwE) Design and Implementation Guide](<https://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf>).\n\nIn addition, Rockwell recommends users employ the following methods to detect changes to configuration or application files:\n\n * Monitor controller change log for any unexpected modifications or anomalous activity.\n * If using v17 or later, utilize the Controller Log feature.\n * If using v20 or later, utilize Change Detection in the Logix Designer Application.\n * If available, use the functionality in Factory Talk AssetCentre to detect changes.\n\nRockwell Automation has published a [security advisory](<https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130301>) that further describes how this vulnerability affects the Studio 5000 Logix Designer software and associated controllers.\n\nRequests for additional information can be sent to the Rockwell RASecure Inbox ([rasecure@ra.rockwell.com](<mailto:rasecure@ra.rockwell.com>)).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03>); we'd welcome your feedback.\n", "modified": "2021-02-25T00:00:00", "published": "2021-02-25T00:00:00", "id": "ICSA-21-056-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-056-03", "type": "ics", "title": "Rockwell Automation Logix Controllers", "cvss": {"score": 0.0, "vector": "NONE"}}]}
