Securonix Threat Labs Lapsus$ Detection

By Securonix Threat Labs

Updated March 29, 2022

Introduction

A known threat actor group, Lapsus$, has shown evidence that they compromised Okta over two months ago. Okta confirmed a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. 

The compromise would have given the attacker access to end-user authentication credentials to access various services and systems. The threat actor will likely only have shared the information because their access had already been found and blocked — or they would lose it by publicizing the breach.

The activity could possibly be seen as a few static IOCs, Okta authentication logs potentially showing suspicious activity, as well as logs of potential target systems and services that Okta provides access to. Most of the activity from the compromise would resemble malicious insider activity.

Securonix Threat Labs has been monitoring this situation and has provided the following detection spotter queries and IOCs for customers. 

Note: If you are an Autonomous Threat Sweeper subscriber, all of the below TTPs and IOCs have been swept and a summary detection report has been shared with the recipients.

Policy Name

Signature ID

Description

Potential Administrator Role Manipulation in Okta CSSO-OKT-891-RU CLO-OKT1-RUN detects Groups or User admin privilege grant events. This can be used to audit the provisioning of admin privileges for groups and users. When fired, this event contains information about the type of admin privileges the group currently has, and what entity sources the group. The group granted privileges can be an Okta-sourced group, and AD-sourced group, or an LDAP-sourced group or  type of admin privileges the user currently has.
Attempt To Create Or Revoke Okta API Token CSSO-OKT-892-RU CLO-OKT2-RUN detects an attempt to create an Okta API token that can be used for persistence in an organization’s network, create new users and notify security controls.
Attempt To Modify Okta CSSO-OKT-893-RU CLO-OKT3-RUN detects an attempt to modify the Okta application and change security controls.
Attempt To Modify Okta Sign-on Policy CSSO-OKT-894-RU CLO-OKT4-RUN detects an attempt to modify the Okta Sign-on Policy. An adversary can use this to change security controls.
Attempt To Modify Okta Multi-factor Authentication CSSO-OKT-895-RU CLO-OKT5-RUN detects an attempt to modify the Okta MFA. An adversary can use this to change security controls.
Attempt To Modify Okta Network Zone CSSO-OKT-896-RU CLO-OKT6-RUN detects an attempt to modify Okta Network Zone. An adversary can use this to change security controls.
Attempt To Modify Okta Policy CSSO-OKT-897-RU CLO-OKT7-RUN detects an attempt to modify the Okta policy. An adversary can use this to change security controls.
Attempt To Modify Okta Policy Rule CSSO-OKT-898-RU CLO-OKT8-RUN detects an attempt to modify the Okta policy rule. An adversary can use this to change security controls.
Potential Malicious Request on Okta CSSO-OKT-899-RU CLO-OKT9-RUN detects a malicious request from an IP that was identified by Okta ThreatInsight. This can be used to monitor and act on credential based attacks (such as Brute Force, Password Spray) on your organization.
Potential Unauthorized Access to Okta CSSO-OKT-900-RU CLO-OKT10-RUN detects an unauthorized access to Okta.
Potential Brute Force Attempt on Okta CSSO-OKT-901-RU CLO-OKT11-RUN detects an Okta account lock event that indicates a brute force attack.
Potential Bypass Attempt on Okta MFA CSSO-OKT-902-RU CLO-OKT12-RUN detects attempts to bypass Okta multi-factor authentication.
Potential Denial of Service Activity on Okta CSSO-OKT-903-RU CLO-OKT13-RUN detects a potential DoS attack.
Suspicious Activity On Okta Account CSSO-OKT-904-RU CLO-OKT14-RUN detects suspicious activity that is reported by Okta user.
Potential Malicious User-Impersonation in Okta CSSO-OKT-905-RU CLO-OKT20-RUN detects User-Impersonation activity. A user can initiate a session impersonation granting them access to the environment with the permissions of the user they are impersonating. Only a super admin can enable User-Impersonation for only 8 hours and extend in 24-hour increments during a support case.
Suspicious Password Reset or Unlock Attempts in Okta CSSO-OKT-906-BP CLO-OKT15-BPI detects a spike in Okta user password attempts.
Suspicious Failed Authentication Attempts CSSO-OKT-907-BP CLO-OKT16-BPI detects a spike in failed authentication attempts from single IP.
Suspicious MFA Push Notifications Attempts in Okta CSSO-OKT-908-BP CLO-OKT17-BPI detects a spike in Okta MFA push notifications.
Suspicious Login Attempts With Invalid User CSSO-OKT-909-BP CLO-OKT18-BPI detects a spike in Okta login attempts with an unknown username.
Potential Password Spray Attack CSSO-OKT-910-BP CLO-OKT19-BPI detects a password spray attack in Okta system logs.

 

Activity: Potential Administrator Role Manipulation 

Description: This detects a group’s or user’s admin privilege grant events and can be used to audit the provisioning of admin privileges for groups and users. When fired, this event contains information about the type of admin privileges the group currently has and what entity sources the group. The group that is granted privileges can be an Okta-sourced group, an AD-sourced group, or an LDAP-sourced group or type of admin privileges the user currently has.

Omega UUID: CLO-OKT1-RUN

References:   

  • “https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml”
  • “https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm”
  • https://developer.okta.com/docs/reference/api/system-log/
  • “https://developer.okta.com/docs/reference/api/event-types/”

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "group.privilege.grant" OR devicecustomstring4 = "user.account.privilege.grant")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "group.privilege.grant" OR customstring38 = "user.account.privilege.grant")

Activity: Attempt To Create Or Revoke Okta API Token 

Description: This detects an attempt to create an Okta API token that can be used for persistence in the organization’s network, create new users and notify security controls.

Omega UUID: CLO-OKT2-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "system.api_token.create" OR devicecustomstring4 = "system.api_token.revoke")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "system.api_token.create" OR customstring38 = "system.api_token.revoke")

Activity: Attempt To Modify Okta Application 

Description: This detects an attempt to modify the Okta application and change security controls.

Omega UUID: CLO-OKT3-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "application.lifecycle.update" OR devicecustomstring4 = "application.lifecycle.delete" OR devicecustomstring4 = "application.lifecycle.deactivate")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "application.lifecycle.update" OR customstring38 = "application.lifecycle.delete" OR customstring38 = "application.lifecycle.deactivate")

Activity: Attempt To Modify Okta Sign-on Policy 

Description: This detects an attempt to modify the Okta sign-on policy. An adversary can use this vector to change security controls.

Omega UUID: LO-OKT4-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "application.policy.sign_on.update" OR devicecustomstring4 = "application.policy.sign_on.rule.delete")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "application.policy.sign_on.update" OR customstring38 = "application.policy.sign_on.rule.delete")

Activity: Attempt To Modify Okta Multi-factor Authentication 

Description: This detects an attempt to modify the Okta MFA. An adversary can use this to change security controls.

Omega UUID: CLO-OKT5-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "user.mfa.factor.deactivate" OR devicecustomstring4 = "user.mfa.factor.reset_all")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "user.mfa.factor.deactivate" OR customstring38 = "user.mfa.factor.reset_all")

Activity: Attempt To Modify Okta Network Zone 

Description: This detects an attempt to modify the Okta Network Zone. With this an adversary can  change security controls as needed.

Omega UUID: CLO-OKT6-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "zone.deactivate" OR devicecustomstring4 = "zone.delete" OR devicecustomstring4 = "zone.remove_blacklist" OR devicecustomstring4 = "network_zone.rule.disabled")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "zone.deactivate" OR customstring38 = "zone.delete" OR customstring38 = "zone.remove_blacklist" OR customstring38 = "network_zone.rule.disabled")

Activity: Attempt To Modify Okta Policy 

Description: This detects an attempt to modify the Okta policy. An adversary can use this to change security controls.

Omega UUID: CLO-OKT7-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "policy.lifecycle.update" OR devicecustomstring4 = "policy.lifecycle.delete")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "policy.lifecycle.update" OR customstring38 = "policy.lifecycle.delete")

Activity: Attempt To Modify Okta Policy Rule 

Description: This detects an attempt to modify Okta policy rules. An adversary can use this to change security controls.

Omega UUID: CLO-OKT8-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "policy.rule.update" OR devicecustomstring4 = "policy.rule.delete" OR devicecustomstring4 = "policy.rule.deactivate")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "policy.rule.update" OR customstring38 = "policy.rule.delete" OR customstring38 = "policy.rule.deactivate")

Activity: Potential Malicious Request Okta 

Description: This detects a malicious request from an IP that is identified by Okta ThreatInsight. It can be used to monitor and act on credential-based attacks (such as brute force, password spray) on your organization. 

Omega UUID: CLO-OKT9-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND devicecustomstring4 = "security.threat.detected"

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND customstring38 = "security.threat.detected"

Activity: Potential Unauthorized Access to Okta Application 

Description: This detects unauthorized access to Okta.

Omega UUID: CLO-OKT10-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND devicecustomstring4 = "app.generic.unauth_app_access_attempt"

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND customstring38 = "app.generic.unauth_app_access_attempt"

Activity: Potential Brute Force Attempt Okta 

Description: This detects an Okta account lock event that indicates a brute force attack on the account.

Omega UUID: CLO-OKT11-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND devicecustomstring4 = "user.account.lock"

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND customstring38 = "user.account.lock"

Activity: Potential Bypass Attempt Okta MFA 

Description: This detects attempts on an Okta login to bypass Okta multi-factor authentication.

Omega UUID: CLO-OKT12-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND devicecustomstring4 = "user.mfa.attempt_bypass"

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND customstring38 = "user.mfa.attempt_bypass"

Activity: Potential Denial of Service Okta 

Description: This detects a potential DoS (denial of service) attack.

Omega UUID: CLO-OKT13-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND (devicecustomstring4 = "application.integration.rate_limit_exceeded" OR devicecustomstring4 = "system.org.rate_limit.warning" OR devicecustomstring4 = "system.org.rate_limit.violation" OR devicecustomstring4 = "core.concurrency.org.limit.violation")

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND ( customstring38 = "application.integration.rate_limit_exceeded" OR customstring38 = "system.org.rate_limit.warning" OR customstring38 = "system.org.rate_limit.violation" OR customstring38 = "core.concurrency.org.limit.violation")

Activity: Suspicious Activity On Account Okta 

Description: This detects suspicious activity that is reported by an Okta user.

Omega UUID: CLO-OKT14-RUN

Spotter Query 6.3.1:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND devicecustomstring4 = "user.account.report_suspicious_activity_by_enduser"

Spotter Query 6.4:

index=activity AND rg_functionality="Cloud Authentication / SSO / Single Sign-On" AND rg_vendor = "Okta" AND evicecustomstring4 = "user.account.report_suspicious_activity_by_enduser"

Indicators of Compromise (IoCs) for Lapsus$:

Note: These related indicators of compromise (IoCs) have not yet been completely validated by Securonix Threat Labs, and have been provided as low confidence until otherwise stated.

IP Addresses:

103.195.100.11

104.238.222.158

185.56.83.40

104.238.222.243

108.61.173.214

198.244.205.12

51.89.208.22

104.17.244.81

1.117.93.65

1.117.117.202

URLs:

http://8.3.1.0

https://1.117.93.65/ptj

https://1.117.93.65/Ldu7

http://1.117.117.202:3306/KxWC

http://1.117.117.202:3306/wp06/wp-includes/po.php

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Hash:

07b7da86d2f548d18462f8d6d869052a

14781bc862e8dc503a559346f5dcc518

43bb437d609866286dd839e1d00309f5

61089a51d3be666631053d516ad9b827

91b88d281ef983296157f8ebfc73958036148194

f9153289b209929130f897ee47710b4c94aa6453

065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1

2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8

61089a51d3be666631053d516ad9b827

91b88d281ef983296157f8ebfc73958036148194

065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1

9d123f8ca1a24ba215deb9968483d40b5d7a69feee7342562407c42ed4e09cf7

a0aa66f6639e2b54a908115571c85285598845d3e52888fe27c6b35f6900fe56

a7c3ce181e5c3956bb6b9b92e862b6fea6d6d3be1a38321ebb84428dde127677

000127d103774b0e83a9c96a7a51cafe834ed0bec78450b3b86ef38e7cd02727

00016b2b590a7bbe97139e35315f5e206fe6562dd5b06c6b2e0e86082669e4e5

0001eb229175ef5690be7fa3bb5b8e701b9bbdd874324fa72a9d6ed5fe109401

0001fa2fa69b9ffcfb3dfa45167397486d9d1ecc466fa6ac4ba0f74b5056feab

00027ef37af490f075641c7be251bb4a6fd83957439959b8bb66cd4ca105db67

0003281c6c0009c05dbf8d25f10caf6a20195f1238e1c7d767816a905429707f

000508833a2515af73749e3376590b0aac9b15240ed409d79d4f5f1d2e249047

000584a56d35daa79d187df592226c2166d89900ceba9193a54768e66f07df30

0005a388b70ea04cb1c376b4e52cbeb74fb20426d95bcae8b488a85b17423d46

000653763bfb0719e87d8210266d72f84059391a7bccb79b45d7c05ed1612bbe

00067cd343807b855bb80c2c589f25596ce26f68e31b62703dd7963d73a211fe

00068518e65a6fc2b8e609dfcfcfee69cc03a03b05562736fa646af28fbb9125

0007869cca91c9d46a0ef17fca8deff347c89f1dbfff3e1f7c9cf4acea0ba88e

00080e7dd79e937b01912d61fed4bf553ba43ca87f85510bf560102a912a7244

0008661743e25be644e7244bef8ddce8cca1ff3473e27d9739617b11f629f0be

0008c12d6faca861ef58a65714a96016a90cb33cd40c13307331f4e4c983bc85

0009b60e958cbd5de2fc6f9d43afdb0b9df8080d1f45f3323de150d4a164e293

000a5521dc0b904013b40a3d6b73e59708f9f535e44ac043ee11f5d1584a05e8

000aab97e1361c1ee9221ce81c2569fe11160f5249b6fec91577e39fae5c2685

000abcab748e59e12c5caed1f782e5af6511d894af721520332a876fdfa647c7

000b33ca0cd722e2d84e6cd96528d0888637566e54f8be529ee338022d8d5d79

000f4659f0713e3cc4aaa0752f3d253c042e16e22676d211cb29ac80ae7b1d96

0025a20626141fb129c3773d7652dc5719d4b52c26e88ccf8174a04d8ff5f5aa

002ee368a6194361748112e1b736e5c3431b1935e77256b4b1871b269c96239b

004112c7bdeeb8470feefd513f6b4de124c69b19aabae9c22335a2d714260ab2

004a7d683b24716d8f6fb1c1dc23437595cf41885290b4e16fac6e0f06ea1b34

00545cd4a69879c7d3d34e18dbddce476b4a2249f027f0e8b2ebad210f3cfc70

006406b8506665a1ff1ef48b60564da56469922f3048a320484521c2a6986979

007aa2a6ccbbcb798261441bcb3c9bdac277f437df8f9d667e86b573b38f2dda

00b42436d482f462ec264ea71389e38c5dc9aae151ef5f2c7c98d053487f3c46

00b7935230986bc5222bf4b100e5aadd1602f55dff7401e402d45f3c10ba7250

00b8d5c044418cd05c1efc48a28b65de83508e23daed0607e6cb00838f4e36f6

00eb3e788cf72eaa11fc64363c61a6a7a800ec198b9cf0760572b56330a14e2a

01052e8ede3cd78df00452c27f4a27b8cb2c395491671bc1b13e378e35f3c4cb

01092c74935e08ad5ba6d8f912622b26fae52696d443dddd58fd7e26dfeb4766

0110c288a64c7ec2fb941b2053818607eebe5c6049115c00d601dcda04e6d55a

011384aa7d1566f449c868276ebedf41aed2d4539d57e5fed0a57f496ca37096

01260d03a2000687e113c0bf43f7de46b6f3d6a5f1e0b6f05b823f6233eed11e

012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

0128e8de17142617ef24ad70a37bafdb0bc362ba3c1911d7455890e29d078282

012c98d979e6172e58dab4a6f3ee15af9f435ca42446e12a579626e78afd2654

0135fe39f8442fd85806336e6e5a714634e68b50c8058ff81f9c567a961e4b7a

0225f76111b66428e4c6dbf401f29e173335f27cf9f356eb00dde23c69cd8eb6

04e186e981c7f6106ddbc11c453c48f7d765537391f107dcd074214d3202fca0

08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27

08e6fd8d634c63a1f49b91545a11c32af3bed835dd389b894908ef11fa1d036c

0aae9926416480168b37b7e6b63b4bb17cb417dc2e3e63935d8431b11db77c00

0b7641f65215e76e44c3c329e3ad11928307899ef150f3bc7e95131418203e2b

0c3a1caf26db396a2a66379fdbfbf59748fbdbf0498c3a99800a791a95b5c766

169628dbe8738106db6bd5d7f329b15405471365f4eddd8db21de7557f8f0566

172aee2b8d1ab3fb730d1fa4b7b44090e5809fb722f6ce3f84c0110c7eb0efca

1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

27a062c28a1f7283fcaa515e9caae81d713817b40c987a002cbef110aa057ce8

2d3acac7982b190333b16bfc4a1f5ccfc24f50b16994001aee6e32a22df8292a

30fecd33962585700bab63b4f2a38922599dd5a97ae38605c5613d4a72bb6b5f

3466a1814c822b9a1f8bb285caecb935397aa9fbb779240fa2c5143f6b7ef645

39ccc62109dffc2f1573b26205a30ba209aed07b6d0fc5bed57d35d49660dc64

42cf006d784aad21797472d644ae9cb31d164e1f50b841df1b93fccadfdbf561

4439bf7f7322330b14752f2c2a02d161b896e89f899b760215e71e347de7f65f

44a336f1a291f7a8bf98be751fdbc982121a78ec75b447cecfdd2c2a7da2eb78

489a3b23a790881114c7da8414c3775616b325396280cf0d5a4e39d44b54e694

496aadd0f0c303e760bb06db160b290b6b1d1cbfd3f6c3d9beab63527966bfe1

4c8f2137a812e619376cc8c746b76df47251b7b5241cbadd791bcb871c3eb4c9

508d3151894079e7762e60f790e53358fc6842f4f67b988542d7c3d2eb51ec82

5a6a00137262928ac61cee8100194377a47f8d015612ec571cd0fac9d6276c8d

62cd53518699928e8e33e6739b35e8c7aebbfd448d87113593ec2b9cd7cfdf8a

63f29bec58ad628a9244c8b81b255b21e28fc9f859b29a634c3c20546c36e5ee

69fb7b96d2da05f2aef88efc9e788ede343c9112ae164fe026e504449d56464e

6a6d96bf1e60254ff26b33499909e06767946a33781876724bf73326d32946cb

6ac4ca0871d8ccb6c5a8de045288aa3d11c6157f17a428ef45d94e1166ed78dd

6f46a4c9a31b4c7ee32fac923c5729fd7060d55388af183e0f25b7b3cd7fa9e2

71d0c4f4cb5bd85da13352684ef0eb99825b1b26ba5bd9b057872da97c145dde

74515cc06bfdc63c1023c579697558642aa894e5cb4db2ab620a58cf32815947

7a9411da829ad98c02900c0608fedd9125119b07f80de6f072c288127f678a70

7c22c9cf19f586693cbed6b2f17faa7c242d70121aef9da42015217740cc67c3

7f19c253609c1778cbc208eea4df6a19a9ef15767647841bb31a28ae78d788b5

813789578f61be4f6b35d4b9160029747438b1cbacafdc118d7d0974df7fda54

85c2fb612e92eb687dfa6ec0a65bbddccb7b49de507b093744587af07c575116

86749d3e3233d7a75a618c98eac9f31f508aed4492849f65b907787b0bd1d047

91c66028bc9d55418fa93d6df669bf25987a60b9086ee68579f24ceae15e7019

9506ef21605d443f1927089eacf0cd6c138bd88dcaef99cbe58960346113b67a

9759fc03c7c7bf5062f6b5907ef26d0600a1724e329ab61778fff62131f30bcf

9b4a9f90f75df7271300bc36353139993f2c8142bbc6f133c4f2120e26cbd240

9b9fc8a9b37f6f404a7c28115bea4551780873b05f156dc171920bf299484444

9c415b84b68b0992f387e94657f0944208e904970165cebefad5db77d252560e

9d7f5dcfc09e389e84adcc53bc6087f8aa39ab7248276689a4d40a846d66365d

9f10aace0d8ad5d9e4850996ae51386535278a4d56e5ce168a93b0ddb03be270

9f3b2a39dd67f9c328dd0e021cae0fb9e60e78f451fc4071a529fde00db0c243

a75f0f9574de44e202fcf1fff5ae4faa77a4f9ed952fa765e228f7decf0f5f1f

a7ba1a803fc30c0ef7ff0c63ee3afde5880e307aaf51a97335a6dd11b4128069

aefcacf74e2c2b35d7aa2f15a00b32a00edb107fc3ec230cdad4fb7db23daea6

af5b506cae4570a9f2edc31babdb33a167bb748b878cf08959d0709cfb07fb4a

b5a984ab6d52fb819c868a7e15bf3980a6d646f3cf6ada5ec1671cc9add7211e

bb8bfc78e5be990125d9c4fde12a8a1943a860ff2c39643cceb66675b8da646e

be79663e7706e1784ece902689c036f66fda709f301f217c2bfa4c1ee0c61c3e

bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

c036c5b3fe7f74f29bead67288a89ccd4294204bb7b51f4eddbf93e564595903

c112691671a79b0afd8363f8f95b645c94b8fcf8d68f4f751ce0abf9583593ed

c1f8f063484ad1be546a6ede080761cdbe2969c2a5d22ab70cb8fe091564acab

c78833108c4eae73b407f093154f58fa9b721f0fd2e1a061fae87c6b3633fb2d

c8a3c91a3220d38905bf48177bb1246612cb723fdc86fd3cfe061622ca474f4a

d9a5edbf5856af33290b583da0ccef88082b27c1372b1675880c05cf151249c2

dc1dc90497aa73ff135acdcca8ac863aae5d774c45ece5a4d053d5c24624d0e5

df2fc8d2b6b41519e63256ea06925bcd768bdb836eb36a5bbfddb9b1a83ef83f

e2c6a9dbd86ed00db73c0a4ba99fa8178e4c50d59efc8c14ecbbe19a71fa999c

eb3a87f558d1044e6f3f5e443374c0644b2141b45769f09d0cc0721eb67367a1

f219279eea9b8ec9e017fd59200c0aa49fa99e83eea18316fc1b3c8381e49f3f

f7506e9d998e9b2f3eb44c991e6981c9ad299b09f3c4ec51c226e913a1592f41

f7bf1983fb78154669d4f9932b0b44b8916a61a2cea8eca9b260d05633f0c1d3

fb9fe69ef42872525f4c9f17522a51c2aec867dc41c3540e6d1c7f45da8d9036

For the latest threat intelligence and updates please refer to our Github page that is updated daily. We also invite you to send your questions regarding critical security advisories to the Securonix Critical Intelligence Advisory team and look forward to being of assistance.