Cisco ASA VPN trap on UDP 500/4500.

# Cisco ASA VPN/Admin Exploit Attempts - NadSec - 2026-02
## Comprehensive Threat Intelligence Report

**Date:** February 28, 2026
**Analyst:** [Redacted]
**Subject:** Deep-Dive Analysis of Cisco ASA Exploitation Campaign (Feb 2026)
**Reference:** Pulse NadSec-2026-02

### Key Points
*   **Primary Threat Actor:** The campaign is dominated by a single, high-volume threat infrastructure attributed to **FOP Dmytro Nedilskyi (AS211736)** and its affiliates, operating out of Ukraine, Germany, and Seychelles. This single entity is responsible for over 53% of all observed traffic.
*   **Targeting Vector:** Activity heavily targets Cisco Adaptive Security Appliance (ASA) VPN portals, specifically the web-based SSL VPN login endpoints (`/+CSCOE+/logon.html`).
*   **Exploit Methodology:** The traffic exhibits a hybrid attack pattern: high-volume automated probing for legacy vulnerabilities (CVE-2018-0101) indicated by the `fcadbadd=1` parameter, combined with massive credential stuffing/brute-force attempts consistent with **Akira ransomware** pre-exploitation tactics and **ArcaneDoor** reconnaissance.
*   **Infrastructure Sophistication:** The attackers utilize a "bulletproof" hosting nexus involving **ColocaTel Inc.** and **GTT Communications**, layered with a vast residential proxy network (likely **RESIP**) utilizing compromised US-based broadband connections (Comcast, Charter, Verizon) to evade reputation-based blocking.

---

## 1. Executive Summary

During February 2026, the NadSec honeypot infrastructure in Sydney, Australia, observed a significant and sustained campaign targeting Cisco ASA VPN gateways. This report analyzes 215,649 distinct attack events involving 5,693 unique indicators of compromise (IOCs). The data reveals a highly coordinated, multi-tiered attack infrastructure designed to identify vulnerable remote access VPNs for initial access operations.

The campaign is characterized by a bifurcation in tactics. The "noisy" volume is driven by dedicated scanning infrastructure in Eastern Europe and offshore jurisdictions (Seychelles), aggressively probing for specific HTTP parameters associated with Denial of Service (DoS) and Remote Code Execution (RCE) vulnerabilities. Simultaneously, a "stealthier" layer of attacks utilizes high-reputation residential IP addresses in the United States to conduct credential enumeration and password spraying.

The observed techniques strongly correlate with the operational playbooks of the **Akira ransomware group**, which notoriously targets Cisco ASA VPNs lacking Multi-Factor Authentication (MFA), and the **ArcaneDoor** state-sponsored espionage campaign, which utilizes similar reconnaissance markers. The dominance of the **FOP Dmytro Nedilskyi** network in the aggregate statistics points to a centralized "brute-force-as-a-service" or initial access broker (IAB) operating at scale.

This report provides a forensic deconstruction of the attack traffic, attribution of the hosting infrastructure, and detailed mitigation strategies for securing Cisco ASA environments against this specific threat vector.

---

## 2. Statistical Overview and Campaign Metrics

The dataset for February 2026 presents a clear picture of targeted, automated exploitation attempts against the Cisco ASA WebVPN interface. The volume and distribution of the attacks suggest a broad-spectrum scanning campaign rather than a surgically targeted operation against the NadSec sensor specifically.

### 2.1 Aggregate Traffic Analysis

The total volume of 215,649 attacks originating from 5,693 unique IP addresses indicates an average of approximately 38 attacks per IP. However, this average is heavily skewed by the top talkers.

| Metric | Count | Analysis |
| :--- | :--- | :--- |
| **Total Events** | 215,649 | High-intensity campaign sustained throughout the month. |
| **Unique IPs** | 5,693 | Indicates a medium-sized botnet or proxy network. |
| **Enriched Indicators** | 5,693 | 100% successful enrichment rate for context. |
| **Top Country** | Ukraine (116,070) | **53.8%** of all traffic originates here. |
| **Top ASN** | FOP Dmytro Nedilskyi (116,066) | A single entity controls the majority of the attack volume. |

### 2.2 Geographic and Infrastructure Distribution

The geographic distribution of the attack sources is highly concentrated, revealing the physical location of the attacker's core command and control (C2) or scanning servers.

**Top Attacking Countries:**
1.  **Ukraine:** 116,070 events (53.8%) - Almost entirely attributed to FOP Dmytro Nedilskyi.
2.  **Germany:** 41,952 events (19.5%) - Associated with ColocaTel Inc. infrastructure.
3.  **Seychelles:** 32,761 events (15.2%) - Linked to GTT Communications and probable offshore hosting.
4.  **United States:** 11,858 events (5.5%) - primarily residential ISPs (Comcast, Charter, Verizon).
5.  **Bulgaria:** 10,658 events (4.9%) - Associated with LLC Vash Kredit Bank.

**Top Autonomous Systems (ASNs):**
The top ASNs reveal the hosting providers facilitating this campaign. The prominence of "FOP Dmytro Nedilskyi" and "ColocaTel" is a critical finding.

| Rank | ASN Name | Events | Significance |
| :--- | :--- | :--- | :--- |
| 1 | **FOP Dmytro Nedilskyi (AS211736)** | 116,066 | Primary aggressive scanning infrastructure. Known for brute-force attacks [cite: 1, 2]. |
| 2 | **ColocaTel Inc. (AS213438)** | 41,843 | Bulletproof hosting provider often acting as upstream for abusive networks [cite: 2, 3]. |
| 3 | **GTT Communications Inc. (AS3257)** | 32,760 | Major Tier 1 carrier, likely leased subnets to offshore entities in Seychelles. |
| 4 | **LLC Vash Kredit Bank (AS209630)** | 10,645 | Associated with malware hosting and ransomware distribution infrastructure [cite: 4, 5]. |
| 5 | **Latitude.sh (AS396356)** | 5,408 | Cloud/Hosting provider, often used for transient scanners. |

### 2.3 Top Targeted Event Signatures

The specific HTTP requests logged by the honeypot provide the strongest evidence of the attacker's intent.

1.  **`GET /+CSCOE+/logon.html HTTP/1.0 302` (4,875 events in sample):**
    This is the default reconnaissance probe. A `302` redirect response from a Cisco ASA confirms the device is active and the WebVPN service is enabled. Attackers use this to build target lists of live VPN gateways.

2.  **`GET /+CSCOE+/logon.html?fcadbadd=1 HTTP/1.0 200` (4,698 events in sample):**
    This request includes the specific parameter `fcadbadd=1`. This parameter is historically associated with exploits for **CVE-2018-0101** (Remote Code Execution) and is used to trigger specific code paths in the WebVPN lua scripts. In modern scanning, it is often used as a high-fidelity fingerprinting technique to determine the specific software version and patch level of the ASA [cite: 6, 7].

3.  **`POST /+webvpn+/index.html HTTP/1.0 200` (3,093 events in sample):**
    This indicates active credential stuffing. The `POST` method suggests the attacker is submitting a username and password payload to the login form. The volume of these requests confirms a brute-force or password-spraying component to the campaign.

---

## 3. Infrastructure Deep Dive

The attack infrastructure can be categorized into three distinct tiers: the **Core Aggressors** (Bulletproof/Abuse-tolerant hosting), the **Transit/Leased Layer** (Tier 1 carriers with leased blocks), and the **Evasion Layer** (Residential Proxies).

### 3.1 Tier 1: The Core Aggressors (Ukraine & Bulgaria)

**FOP Dmytro Nedilskyi (AS211736):**
This ASN is the engine of the campaign. Threat intelligence reports from late 2025 and early 2026 identify this network as a central driver of global brute-force attacks against SSL VPN and RDP services [cite: 2, 8].
*   **Classification:** **Bulletproof / Abuse-Tolerant Hosting.**
*   **Behavior:** This entity is allocated in Ukraine but operates a nexus of infrastructure that frequently exchanges IP prefixes with other abusive networks like **VAIZ-AS (AS61432)** and **TK-NET (AS210848)** to evade IP-based blocklists [cite: 2, 8].
*   **Reputation:** Consistently flagged as "High" or "Very High" risk for abusive behavior [cite: 1]. It has been placed on ASN watchlists for facilitating crypto-phishing and mass-scanning operations [cite: 9].
*   **Attribution:** The network is linked to large-scale credential spraying operations ("hundreds of thousands of attacks") targeting VPN concentrators, matching the activity observed in the NadSec honeypot [cite: 2].

**LLC Vash Kredit Bank (AS209630):**
*   **Role:** Supporting infrastructure.
*   **Links:** This ASN is heavily interconnected with **ColocaTel Inc.** and is frequently cited in reports regarding ransomware distribution domains and malware hosting [cite: 5, 10, 11]. The presence of this ASN in the top 5 suggests a potential link between the scanning activity and ransomware precursor activity (e.g., initial access brokerage).

### 3.2 Tier 2: The Transit & Offshore Layer (Seychelles & GTT)

**GTT Communications Inc. (AS3257) - Seychelles (SC):**
The dataset shows a massive cluster of attacks (32,760 events) from `154.206.0.0/16` and related subnets, geolocated to Seychelles but announced by GTT.
*   **Analysis:** While GTT is a legitimate Tier 1 carrier, they lease large IP blocks to downstream customers. The specific subnets observed (e.g., `154.206.240.0/21`) are assigned to entities like **GoCodeIT Inc** [cite: 12].
*   **Pattern:** The "Seychelles" geolocation combined with a major US carrier's ASN is a common pattern for "offshore" VPN or hosting providers that promise privacy and ignore abuse complaints. This infrastructure likely serves as a dedicated scanning platform that is harder to de-peer than a small rogue ASN.
*   **Connection to Core:** Threat reporting links Seychelles-based autonomous systems (like **TK-NET** and **IP Volume Inc.**) directly to the Ukrainian brute-force nexus [cite: 2, 8]. It is highly probable that the GTT/Seychelles blocks observed here are part of the same coordinated infrastructure, leased to the same threat actors.

### 3.3 Tier 3: The Evasion Layer (US Residential Proxies)

The IOC sample contains a significant number of IPs from major US residential ISPs:
*   **Comcast Cable Communications, LLC (AS7922):** e.g., `98.200.19.250`, `73.9.96.206`.
*   **Charter Communications Inc (AS11426):** e.g., `76.36.54.33`.
*   **Verizon Business (AS701):** e.g., `173.79.127.84`.

**Analysis:**
These IPs are not servers; they are likely compromised home routers, IoT devices, or computers infected with malware that turns them into residential proxies (RESIP).
*   **Tactical Value:** Attackers route traffic through these IPs to bypass geo-blocking (which often allows US traffic while blocking Ukraine/Seychelles) and to blend in with legitimate user traffic.
*   **Botnet Link:** The presence of specific user-agents or fingerprinting patterns on these IPs often links them to known botnets like **Mirai** or commercial proxy networks used by threat actors [cite: 13, 14].
*   **Implication:** The attacker is "rotating" through these IPs. A high volume of requests from a single ASN (like Nedilskyi) indicates a "burn" phase where they don't care about detection, while the US residential IPs are likely used for the actual credential stuffing attempts to avoid account lockouts or firewall bans.

---

## 4. Malware & Exploit Analysis

The campaign utilizes specific URI patterns that map to distinct vulnerabilities and attack phases.

### 4.1 The `fcadbadd=1` Artifact (CVE-2018-0101 & Reconnaissance)

**Observed Request:** `GET /+CSCOE+/logon.html?fcadbadd=1`
**Analysis:**
The `fcadbadd` parameter is a legacy artifact. It was historically associated with **CVE-2018-0101**, a critical Remote Code Execution (RCE) and Denial of Service (DoS) vulnerability in the Cisco ASA WebVPN XML parser [cite: 6].
*   **Why is it used in 2026?**
    1.  **Vulnerability Confirmation:** If the server responds in a specific way (e.g., a 200 OK without a redirect, or a specific error page), it may confirm the device is unpatched or running a specific software version.
    2.  **Fingerprinting:** Advanced threat actors use this to differentiate "real" ASAs from honeypots or other web servers. A real ASA processes this parameter in a specific way; a generic web server would ignore it.
    3.  **Botnet Residue:** Many IoT botnets (Mirai variants) include old exploits in their scanning modules. They simply "spray and pray" old exploits hoping to find a device that hasn't been updated in 8 years.

### 4.2 WebVPN Enumeration and CVE-2020-3452

**Context:**
While the sample data highlights the logon page, the aggregation mentions events like `GET /+CSCOL+/csvrloader.jar` and `GET /+CSCOT+/translation-table`.
**Analysis:**
These paths are linked to **CVE-2020-3452**, a directory traversal vulnerability that allows unauthenticated attackers to read sensitive files from the ASA file system [cite: 15].
*   **Attack Chain:** Attackers use `fcadbadd=1` to fingerprint the device, then attempt directory traversal (CVE-2020-3452) to read configuration files (like `portal_inc.lua`) which might contain secrets or reveal internal network structures.

### 4.3 Brute Force & Credential Stuffing (Akira Ransomware Link)

**Observed Request:** `POST /+webvpn+/index.html`
**Analysis:**
This is the login submission action. The high volume (3,093 events in the sample subset) indicates an automated attempt to guess credentials.
*   **Akira Connection:** The **Akira ransomware group** is documented as aggressively targeting Cisco ASA VPNs that lack Multi-Factor Authentication (MFA) [cite: 16, 17, 18]. They use brute-force and password spraying (trying common passwords across many users) to gain initial access.
*   **CVE-2023-20269:** This vulnerability (improper separation of AAA functions) allows attackers to brute-force credentials effectively. The observed traffic is a direct manifestation of this threat vector [cite: 17, 19]. The attackers are likely targeting the "DefaultRAGroup" or other tunnel groups to bypass certain restrictions.

### 4.4 Advanced Threats (ArcaneDoor / UAT4356)

**Context:**
Recent intelligence (late 2025) highlights the **ArcaneDoor** campaign (Storm-1849) exploiting zero-day vulnerabilities (**CVE-2025-20333** and **CVE-2025-20362**) in Cisco ASA [cite: 20, 21, 22].
*   **Correlation:** While the honeypot logs show standard reconnaissance, the sheer scale and the specific targeting of the `logon.html` endpoint align with the pre-exploitation mapping phase of ArcaneDoor. This actor uses "Line Dancer" and "Line Viper" implants [cite: 21].
*   **Warning Sign:** A massive surge in scanning (like the 25,000+ IPs noted in GreyNoise reports [cite: 13, 14]) often precedes the deployment of zero-day exploits. The activity observed in the NadSec honeypot may be the "mapping" phase where the actor identifies all potential targets before launching a sophisticated exploit chain.

---

## 5. Campaign Attribution

Based on the synthesis of the honeypot data and external threat intelligence, we assess with **high confidence** that this activity is part of a sustained, global **Initial Access Broker (IAB)** campaign.

*   **Primary Actor:** The **"Nedilskyi Nexus"** (FOP Dmytro Nedilskyi / FDN3). This entity essentially operates a "brute-force-as-a-service" platform. They compromise or lease massive amounts of IP space to run continuous scans against the entire IPv4 space.
*   **Downstream Customers:** The credentials harvested by this infrastructure are likely sold to ransomware groups like **Akira** or **LockBit**. The timeline and tactics (VPN brute forcing) perfectly match Akira's modus operandi [cite: 16, 17].
*   **Infrastructure:** The campaign utilizes a sophisticated "waterfall" of IP usage—starting with bulletproof hosts in Ukraine/Seychelles for scanning, then switching to US residential proxies for the actual login attempts to bypass geo-fencing and rate limiting.

---

## 6. MITRE ATT&CK Mapping

| Tactic | ID | Technique | Observed Evidence |
| :--- | :--- | :--- | :--- |
| **Reconnaissance** | T1595.002 | Active Scanning: Vulnerability Scanning | Massive scanning for `fcadbadd=1` and `logon.html` to identify ASAs. |
| **Resource Development** | T1583.003 | Acquire Infrastructure: Virtual Private Server | Leased infrastructure from GTT (Seychelles) and ColocaTel (Germany). |
| **Resource Development** | T1584.004 | Compromise Infrastructure: Botnet | Utilization of US residential IPs (Comcast/Charter) as proxies. |
| **Initial Access** | T1110.001 | Brute Force: Password Guessing | High volume `POST /+webvpn+/index.html` requests. |
| **Initial Access** | T1110.003 | Brute Force: Password Spraying | Distributed attempts across many accounts using proxy network. |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Attempts targeting CVE-2018-0101 and CVE-2020-3452. |
| **Defense Evasion** | T1589.002 | Gather Victim Identity Information: Email Addresses | Harvesting valid usernames via WebVPN responses (CVE-2023-20269). |

---

## 7. Detection & Mitigation Strategies

### 7.1 Immediate Network Defenses

1.  **Geo-Blocking:**
    *   **Action:** Immediately block ingress traffic to VPN interfaces from **Ukraine**, **Seychelles**, **Bulgaria**, and **Germany** if no legitimate business need exists.
    *   **Specific ASNs to Block:** AS211736 (Nedilskyi), AS213438 (ColocaTel), AS209630 (Vash Kredit Bank).

2.  **Enforce MFA (Critical):**
    *   **Action:** Ensure Multi-Factor Authentication is enforced for **ALL** VPN users. The Akira ransomware group specifically targets accounts without MFA.
    *   **Mitigation:** Configure the ASA to drop connection attempts that do not present a second factor, or use certificate-based authentication to prevent brute-forcing entirely.

3.  **URI Filtering & Rate Limiting:**
    *   **Action:** Configure the ASA or an upstream WAF to drop requests containing `fcadbadd=1`. This is a high-fidelity indicator of malicious scanning.
    *   **Action:** Implement strict rate limiting on the `/+webvpn+/index.html` endpoint to slow down credential stuffing attacks.

### 7.2 Detection Signatures (Snort/Suricata)

**Suricata Rule for `fcadbadd` Reconnaissance:**
```yaml
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THREAT-INTEL Cisco ASA Reconnaissance (fcadbadd parameter)"; flow:established,to_server; http.uri; content:"fcadbadd=1"; fast_pattern; classtype:web-application-attack; sid:1000001; rev:1;)
```

**Suricata Rule for CVE-2020-3452 (Directory Traversal):**
```yaml
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"THREAT-INTEL Cisco ASA Directory Traversal Attempt (CVE-2020-3452)"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table"; content:"type=mst"; content:"textdomain="; content:"lang=../"; classtype:attempted-admin; sid:1000002; rev:1;)
```

### 7.3 Log Monitoring (SIEM)

*   **Query:** Look for high volumes of `302` redirects followed immediately by `200 OK` on the login page from the same IP.
*   **Query:** Alert on any inbound connection from ASN 211736 or ASN 213438.
*   **Query:** Monitor for `%ASA-6-113015` (authentication failure) events grouping by source IP to detect brute-force spikes.

---

## 8. IOC Appendix

### Top 10 High-Confidence Attacker IPs (Sample)

| IP Address | ASN | Organization | Country | Context |
| :--- | :--- | :--- | :--- | :--- |
| **154.206.240.48** | AS3257 | GTT Communications Inc. | SC (Seychelles) | Part of "GoCodeIT" subnet; aggressive scanner [cite: 12]. |
| **154.206.248.198** | AS3257 | GTT Communications Inc. | SC (Seychelles) | High volume probing for `fcadbadd`. |
| **104.148.236.180** | AS6128 | Cablevision Systems Corp. | US | Residential proxy involved in credential stuffing. |
| **172.86.117.47** | AS14956 | RouterHosting LLC | US | Known bulletproof/VPS hosting used for scanning. |
| **185.247.137.18** | AS211298 | Driftnet Ltd | GB | Dedicated internet measurement/scanning actor. |
| **20.64.105.9** | AS8075 | Microsoft Corporation | US | Likely a compromised Azure tenant or cloud abuse. |
| **93.123.118.11** | AS209630 | LLC VASH KREDIT BANK | NL/BG | Linked to ransomware infrastructure [cite: 5]. |
| **91.196.152.112** | AS213412 | ONYPHE SAS | FR | Research scanner (Onyhpe), but often generates noise. |
| **5.181.86.46** | AS211632 | Internet Solutions & Innovations | UA | Ukrainian scanning node. |
| **45.156.129.135** | AS211680 | Sistemas Informaticos, S.A. | PT | Scanning infrastructure. |

### Targeted File Hashes / Exploits
*   **No specific file hashes** were dropped in this specific honeypot session (as it's a web-based interaction log).
*   **Targeted Vulnerabilities:** CVE-2018-0101, CVE-2020-3452, CVE-2023-20269, CVE-2025-20333 [cite: 6, 17, 20].

---

## Sources & Citations

1.  **IPshu:** LLC VASH KREDIT BANK ASN abuse [cite: 4].
2.  **IPinfo:** AS213438 ColocaTel Inc. details [cite: 3].
3.  **IPinfo:** AS209630 LLC VASH KREDIT BANK [cite: 23].
4.  **GreyNoise:** Vulnerability exploitations and ColocaTel Inc activity [cite: 24, 25].
5.  **IPapi.is:** Most Abusive Networks - FOP Dmytro Nedilskyi [cite: 1].
6.  **Internet Weather:** FOP Dmytro Nedilskyi added to ASN watchlist [cite: 9].
7.  **Rapid7:** Exploitation of Cisco ASA SSL VPNs (Akira) [cite: 26].
8.  **GreyNoise:** Scanning Surge Cisco ASA Devices (ArcaneDoor) [cite: 14].
9.  **Cisco:** Security Advisory for CVE-2018-0101/CSCuy14121 [cite: 27].
10. **Corelight:** Detecting Cisco ASA exploits (CVE-2025-20333) [cite: 20].
11. **Deepwatch:** ArcaneDoor/UAT4356 Campaign Analysis [cite: 21].
12. **GitHub (Cymmetria):** Cisco ASA Honeypot `fcadbadd` signature [cite: 6].
13. **Intrinsec:** Ukrainian networks (FDN3) driving brute force attacks [cite: 2, 28].
14. **CyberPress:** SSL VPN RDP Attacks by FDN3 [cite: 8].
15. **Kroll:** Akira Ransomware Deep Dive [cite: 17].
16. **Picus Security:** Akira Ransomware Exploits CVE-2023-20269 [cite: 19].
17. **Cisco Blogs:** Akira Ransomware Targeting VPNs without MFA [cite: 18].

**Sources:**
1. [ipapi.is](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGTtSqVAVbckj78xNLpcK6Li1MnmtM1sQnKjF4J6IEZzwOXblcwAQ4Q2_AWn52ApYxinlMrn78wWOTnN-8wohSlTMfEXAE7gjXPul5qsoehRL-T9PIzohmncLRmS7x_0rj9)
2. [intrinsec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFeehjfnuHpl7S0Zuc11vBEcwGejqGvMjmQ7dO4WG67K718vJfOlshbU9Ua7qRsWPUXdQ1fgYZksm1DaRGeU5roIWoqSn7kK2A9jtU00qyxs4PhTryEO2I09NIFpKes_CR8SQKAfGFmzJPYoerdqMO-u73a_cZ59DK1A_XE4JHbE1RTYpKQgt_KoEI3TvQUkLs=)
3. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEHUdxcR6PKtvWy_kbZ1Z0WBLN0W2m7cHliT7z9oYuD4jd7imetCO_kYED6zRt1QgMD0fdcFXV4JZgnvRvX-yKpKVEqnvOgCfzEC9KOwz-nbA==)
4. [ipshu.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE7gV9VX4hVeA1VRJcP3z0S0O0X-6WYFkrk1OubmD0-DyTwHh2Cm8Pl_SV8TFsYv_cICbXD7ja5jOPrv5dVWbP95JzOqg2WQxTjIyQGSjfZ4evev0BI)
5. [gridinsoft.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFcnJ9HqGpAMkk-We-TbVOJxuqpKpur4y0y0F0PXLPHjflldGvoy97mLKmCbQWVO0pGSwgK-8vLmfPmOB5HJcOuw5DxYYAABnNeRID7qXk9ltZFCArZYNOjnj25lxwAtzRQEInRrbRJRFAm6ZDnIuGSJQc=)
6. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEZwvTmrKKSrwYYF1cRATYr5XZGijOxUC_tjFJkMAX1yV3HP0xuq229PojbI_csDeklUZRg-x59sFtDusGgwXjY-FVaLTTfCaesbOONO9yVHbVGhdg_K_QnT81T5WAYk3tz-xx_9uJXQqLgk5nNV4LjbJdhRy-od1EOkpAKer4=)
7. [hackerone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGR82qcOP-QVCLPzPf0ZHgC2B1N8kKlaiLb6rmivBV-NicH2NRxJ2WO_FkLpUDGhicNhqBNLFRYoR6ZRJRyqj8oL-5URV5d_zw5SNcz58NFMnY_apgc5ZX1W0pV)
8. [cyberpress.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGl_N4S_BYDCEljqMQ9y7UKKVOXuL5341UVBv1qsy2uUhBs2PFt9A7-8mfFFRxJAzpAFMAa8Imxi-kNoViWNtUM5IrkauMkuhyJOt3URxscQJY_EWECldu-x3nOJ3tVXKpV)
9. [internetweather.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFCbbz66wIvceAuH3j6t6wNpl_MIY4sKfAjSS1j5RY9iDHbVCS6csiWzVfJ6uRH6dHoO7Iw1T8OOtd7vlgPzcl8UdiTaGcMTIR0pr66s4DAzxje)
10. [gridinsoft.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQESXl5lSmgBiD3hTibM7iQS-DMTdUeq4qKbFtGiYoxNJCnFzjtJWbB4Fj4yteC6kkrUr0NXqM_EBkxGIJRrDLR31dxNXyrcfkirqtK6O76NVEZSCN8nAk0FPve5_lxJ6kQqbCrDqsi-jPRvmGRWqVELqUbdJ3RTjbQ_nLBqO6R0)
11. [gridinsoft.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH8U5LOExE_PCsbfUvT_xT0vE7AH9d2x0dRnlCQwmO0TM_ZGg5gkUNJSO-jj0HbmOG9B-z7i8H5glIeJmHcLkGyemQf5u9zpd0YmlQ0YfsUMi_8QyS3uWH9srmQJ0L1OJyvEGz9iLkTWihAL8yghlQ6T6cVeyCvvv_2A7KWn4wvCb8feS8=)
12. [Link](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEOm0h_n7kLUWloUZMR8ysZl1eB1a8TniCIYw_wjmroxZvTemiThKGXfGw6Rh4rAKxS3wpXcljUzGJcqNF75qVUtKO2GbOq73MAePKUcAk=)
13. [ampcuscyber.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFsRna2f6NmrWFFWo8IqcRcqm1eU_TI0LLLTkxO4-RRA_FsvFamek0YvPGSlei23YRCOjiUiziFM4LrtGtgDXKuzHBydA35itbyiIdun-JOWKdym3rG27_xy36RTEMEk439uqeGzmFpcHpCowB6_IskIAMFY5ZjGhw_UsI5YBojGqjjEaJoUVqxODnIe0Za-CwJHjyjBYbaljlcc1lEYv8zaxhhng==)
14. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE7HdgM4T8FVPc4ENbKGqffVjOJ6-yjL2EpDbKw5EdIESg2KyKhtnrFVUf6pB5HSFyFKDqS4kemXmFpCDFtvTxYRjICFacNwHGMhx4Ah2W95WWi50NarIuHruOB2dPAQw_hVqcFQjrEgLDGe4JCQkIASUFYWA==)
15. [hackerone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEaCLKoIfsx2NzbFtp5V3XsJY-m9D-eVie44OfS1YwoC4lbuzrRin2VLfS9xFWan0UthKjf3sSOtLWOzjgOewekP7MgJ_cSteBSJ_79mvYnKGoI80EtDThfFo0=)
16. [uvcyber.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH5nHlucTrlxa8qkNq66dWYW0Rez6NMxbeKL-jJ_Se1KReTT_63nqYZaKEsrfgTmAapl9GdLGNx7Azo0tR-QQNbiuVWltochrh0NiRl8Z5Lf7J7Lyc7BKHo450XOObqrh3Hs_yOfnAy8mcoaBKDi9fPAY0__4FES-JDPKTbWRxDNuUpQJU=)
17. [kroll.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG-0sTBNWQoaG3wB8cLSaBtrTeM0fGTN6C5Nfg5gf0Q3MVCelbO2KN6KcxOusqNg6ECeO0nTYx5QXaEwZV-Td16cpr7zXJSZRpEsPPoE2a6lVE1zP9c6d699bNcRYiDjOnRUIPXoH-2c0V-03ZsKk6-rNtq9uZtOXdowiJI)
18. [cisco.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGjmN9WOj1GbAmWNLLen8Zb620jRP4N5xxlb60vlrUgw6xUZzMYktqRKLutZv33M-q9Dfo7vgavgnoO4qk4pxa2e9w3Aug0ENDVzcSU1fCtm6IFmy8kOr6DW9NE6FrTLvVH-c7X91O2ZCIddMBoAWKP72DFHTzchveheitsMm-ZyOBCrSP-Jig6G8lFqEHwgBfZJD1QSoh8Ffg9)
19. [picussecurity.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF7wE9Alt-xNxqqoWNtiAOWRojxsCI0UbnsVakx_ISeiG6ue5nCvGfI5NhWAWCq24DbTutzmLITfbXtJ7BRVN_b3eZlJxbGmPXV4fewWjUWjDmPj2HJmqzJNATxrSQwXouGqA_Ci0LJrKquEeEBB7wzHR9X8o_XhSjNgMuNapCOJMIqI2g7raX0OiNJFh3z9su7uiYXg2OzSoi4Ht-qqhfOYTM=)
20. [corelight.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFgmWuApyY7fsFQn20HlzOzhieRegqqRdD9WEbSIje6HrKq0h9qBuoc_sP9PDYwbSuLrIooJfGuxY_BzOjELcyk6vM0V2zq62tBa8SqqfX5vVxu_XqjUodUdR15QjIxysa8iTL4il4XVzlkDZAJH1p7DyicYygqPHNJgYIF_7xy)
21. [deepwatch.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGH3bOgI5QBQBADaULPvz1Z3M3gUUr5-tlseS4n17PW9lTsP9WQvm9pkOGeCaT-gEW0uWQPZxE4B2fgch6SD18KxXrnURH7XL99oIGy3L3mQGvgEZTKEYPrbp-iLjrDpIlHutwCRiufphYVO7wer-bd7XdprmMhNvxkH1AEul1JJLdl76p-D1pKNFxZVuJ209tx4ij9UbpCdaqyGw==)
22. [lumificyber.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQExCcMkfBDQfu8Iht0N6bHRcrPCWA8zVNR-zg87ykcKRIP3qKJMUQHb0_4si3Qvu7LyEua7nBVVpmS5iZgfdCvkrABpqwPOIgZLVA4VvTcfFDyNw7ERcChO6Q8P_EbWaynRBFXsdgdAlFpFe28kolICJP7S2qH5bdIrg1Gln2FAUJ6TFA==)
23. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEAVuDIws2br2bQdUO7s3cdoVsNffLsPnwdxuDR_a6EF8oN9BmN_F3Lf8I8jYOOVPjyIHTIiKroH_0cYG7CaTUPY-vV9BtEWu31JkXi1Vd74w==)
24. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGwSDdcgYsGviIXwBbJEQ2Xoru34oPED3EktENiDBdBbWh-yMxmp1z-FzLzFJaddEG8t6CATH8cMsxHT0DjVT-TZ4cdvO68PpJf7AycpuDQBqOuaVzJx9KOyz9UjGXkdAGCAsqJ-TA4)
25. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQESTUgGlmeo4wMmhw0Xs8QV-erraZ0_X70ZyjY7Ee6SgDR2HocgBxESj3gVKCtSHS8mY-NV3GNoAHRNPXRQy-Ct59U0uwuN0_OHRBd4LSbNxlmj9g==)
26. [rapid7.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEE7FE0etTUyDZERj_2G4CH3cqlClR0LHRaAhPqwkYCiLA9_XN6MxLc8hTI60QdMkbakevsotqjvNTAz-kAD8QMpW-CHvVWS0JOEvYmXF_lMHpBCStrZNxueliSZyEBZ7_thvtAHxXlu3Rj0hyPXgfyzLXujddOZyGS4M9T1ZhY4Sau2cEFwhejYV4ZImwGJu7UcZ9LqZREdk2Pe4QE7PHlwQ==)
27. [cisco.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQES7g9I74ieQ5M0RtE8rinPSCJtRug85QsXva2y_IwnjceXjyROoXYXJyyriHHthm2pLTwoRmPiiXRl9tMDDBWqKqYQV4IV8IOHKl5CXnuZCT2GkPsYs9nSMylIEklmhoiFZP9-)
28. [intrinsec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE1G6e5lVDGcNDktKUR_-lEi_eK9mh4hnCknKYANHh0B7nNNLnu0e78E_BXUv6iQzhB-HpPcl6Qem-qd6Hs6jEIEYXkGMPFV93tiJj97DId5Iec7Ioa7IUx2hrEVoPjnqeGRNGok977MRq99wwYcSl0W0PdX15JxgV32NFxpFmo1muF0e5G_W3HQNLHTtClECsF_QA=)