Suricata IDS catching everything on the wire.

# Comprehensive Threat Intelligence Report: Suricata IDS Alert Intelligence (NadSec Sydney, March 2026)

Research suggests that the current global threat landscape targeting honeypot infrastructure is characterized by a high volume of automated scanning, opportunistic exploitation of legacy vulnerabilities, and the rapid weaponization of recently disclosed web application flaws. Based on the data collected from the NadSec T-Pot honeypot in Sydney, Australia, during March 2026, it seems likely that threat actors are aggressively targeting edge devices, enterprise web applications, and embedded systems. The evidence leans toward a combination of decentralized botnet activity (such as Mirai variants) and coordinated infrastructure scanning originating from offshore hosting providers and abused cloud environments. 

This report provides a meticulous analysis of the intrusion attempts, focusing on identifying the underlying malware families, mapping the attacker infrastructure, detailing the specific vulnerabilities targeted, and providing actionable detection and mitigation strategies. While the exact attribution of automated botnet traffic remains complex and occasionally debated within the cybersecurity community, the data strongly indicates organized campaigns utilizing bulletproof hosting and compromised infrastructure to launch these attacks.

## 1. Executive Summary

This comprehensive threat intelligence report details the analysis of network intrusion data captured by a Suricata Intrusion Detection System (IDS) deployed within the NadSec T-Pot honeypot infrastructure in Sydney, Australia. The observation period spans the entirety of March 2026 (UTC). The objective of this research is to attribute threat actor infrastructure, analyze the specific malwares and campaigns traversing the network, map the observed activities to the MITRE ATT&CK framework, and provide robust mitigation recommendations.

The un-sampled, enriched STIX 2.1 dataset recorded a massive volume of **503,441 total alerts** originating from 78 distinct unique IP addresses. The extreme discrepancy between the relatively low number of unique source IP addresses and the extraordinarily high alert volume highlights the persistent, high-frequency nature of automated scanning and flooding attacks prevalent in the modern threat landscape. 

Key findings from this analysis include:
*   **Volumetric Anomalies:** A staggering 84.7% of all alert traffic (426,668 alerts) originated from a single Autonomous System Network (ASN), Alsycon B.V., geographically attributed to the Seychelles. This traffic was predominantly associated with Attempted Denial of Service attacks, specifically Session Initiation Protocol (SIP) INVITE message flooding.
*   **IoT Botnet Dominance:** A significant portion of the distinct IP addresses (27 unique IPs) triggered signatures associated with Mirai botnet variants. These actors continue to probe standard web and IoT ports (80, 8080, 5555, 7574) seeking vulnerable devices for forced recruitment into decentralized denial-of-service and cryptomining botnets.
*   **Exploitation of Deep Network Stacks (Ripple20):** Attackers are persistently scanning for devices vulnerable to the "Ripple20" suite of vulnerabilities, specifically targeting the Treck TCP/IP stack. Alerts for **CVE-2020-11900** (IP-in-IP tunnel Double-Free) [cite: 1, 2] and **CVE-2020-11910** (ICMPv4 Path MTU Discovery anomaly) [cite: 3, 4] were frequently triggered, primarily by infrastructure hosted on Hurricane Electric LLC in the United States.
*   **Rapid Weaponization of Web Frameworks:** The dataset reveals active exploitation of **CVE-2024-38816**, a high-severity path traversal vulnerability in the Spring Framework [cite: 5, 6]. Threat actors are utilizing infrastructure hosted in Poland and the Netherlands to scan for vulnerable Spring WebFlux and WebMvc applications to read arbitrary files from the host file system [cite: 7, 8].
*   **Cloud Infrastructure Abuse:** Notable exploitation activity, including attempts against the F5 BIG-IP Traffic Management User Interface (TMUI) via **CVE-2020-5902** [cite: 9, 10], originated from abused cloud infrastructure, notably Oracle Corporation assets located in Brazil.

The following sections will dissect this data, providing academic-level rigor to the infrastructure mapping, malware behavioral analysis, and defensive posturing required to mitigate these threats.

## 2. Statistical Overview

The quantitative analysis of the Suricata IDS alerts provides a macroscopic view of the threat landscape targeting the Sydney-based honeypot. The following tables synthesize the aggregate statistics computed from the enriched STIX 2.1 bundle.

### 2.1 Geographic Distribution of Threats

The geographical origin of an attack often reflects the locations of compromised hosts or the jurisdictions of bulletproof hosting providers chosen by threat actors.

| Country | Alert Count | Percentage of Total | Primary ASN Association |
| :--- | :--- | :--- | :--- |
| Seychelles | 426,668 | 84.75% | Alsycon B.V. |
| Germany | 40,924 | 8.13% | Layer7 Networks GmbH |
| Brazil | 20,580 | 4.09% | Oracle Corporation |
| The Netherlands | 5,191 | 1.03% | Amarutu Technology Ltd |
| France | 4,867 | 0.97% | Contabo GmbH |
| Netherlands | 3,369 | 0.67% | Pfcloud UG |
| Poland | 840 | 0.17% | MEVSPACE sp. z o.o. |
| United States | 536 | 0.11% | Hurricane Electric LLC |
| Slovenia | 92 | 0.02% | Netiface LLC |
| Iran | 76 | 0.02% | Limited Network LTD |

*Analysis:* The data is overwhelmingly skewed by traffic originating from the Seychelles, accounting for nearly 85% of all alerts. This indicates a highly concentrated volumetric attack—specifically, SIP flooding—originating from a specific hosting provider rather than a globally distributed botnet. Germany and Brazil follow, representing a mix of compromised regional virtual private servers (VPS) and abused cloud computing resources.

### 2.2 Top Autonomous System Networks (ASNs)

Attributing traffic to specific ASNs is critical for identifying hosting providers that are either intentionally complicit in malicious activity (bulletproof hosting) or suffer from lax anti-abuse policies.

| ASN Name | ASN Number | Alert Count | Infrastructure Type |
| :--- | :--- | :--- | :--- |
| Alsycon B.V. | AS49870 | 426,668 | Offshore/Hosting |
| Layer7 Networks GmbH | AS199912 | 40,888 | VPS/Hosting |
| Oracle Corporation | AS31898 | 20,580 | Cloud Computing |
| Amarutu Technology Ltd | AS206264 | 5,157 | Offshore/Hosting |
| Contabo GmbH | AS51167 | 4,858 | VPS/Hosting |
| Pfcloud UG | AS51396 | 3,369 | VPS/Hosting |
| MEVSPACE sp. z o.o. | AS201814 | 840 | VPS/Hosting |
| Hurricane Electric LLC | AS6939 | 536 | Tier 1 Transit/Hosting |
| Netiface LLC | AS36680 | 92 | ISP/Hosting |
| Limited Network LTD | AS213790 | 76 | Hosting |

*Analysis:* The prominence of Alsycon B.V. and Layer7 Networks GmbH suggests that threat actors are leveraging European and offshore hosting environments to launch high-volume attacks. The presence of Oracle Corporation indicates that attackers are successfully provisioning and abusing legitimate enterprise cloud environments to bypass geographic or reputation-based IP blocking.

### 2.3 Top Triggered Suricata Signatures

The signatures triggered by the IDS reveal the specific exploitation methods and technical objectives of the attackers. Note that the signature count in the aggregate statistics represents the *number of unique IPs* triggering the signature in the provided summary, while the total alerts metric captures the volume.

| Signature Name | Unique IPs Triggering | Primary Category |
| :--- | :--- | :--- |
| ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free | 28 | Attempted Administrator Privilege Gain |
| ET SCAN Mirai Variant User-Agent (Inbound) | 27 | Attempted Administrator Privilege Gain |
| SURICATA HTTP Unexpected Request body | 6 | Generic Protocol Command Decode |
| ET INFO SSH session in progress on Unusual Port | 6 | Misc activity |
| SURICATA STREAM spurious retransmission | 5 | Potentially Bad Traffic |
| ET WEB_SPECIFIC_APPS Spring Framework FileSystemResource Path Traversal (CVE-2024-38816) | 5 | Web Application Attack |
| ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 Path MTU Discovery | 5 | Attempted Administrator Privilege Gain |
| ET SCAN JAWS Webserver Unauthenticated Shell Command Execution | 4 | Web Application Attack |
| GPL SCAN loopback traffic | 4 | Potentially Bad Traffic |

*Analysis:* The most widespread threat, measured by the sheer number of distinct source IPs engaging in the behavior, is the targeting of CVE-2020-11900 (Treck TCP/IP stack) [cite: 1, 2] and Mirai botnet propagation. The identification of CVE-2024-38816 [cite: 5, 6] (Spring Framework) by 5 distinct IPs highlights the rapid incorporation of relatively new web vulnerabilities into automated scanning modules.

### 2.4 Severity and Category Distribution

Understanding the severity and categorization of alerts assists Security Operations Center (SOC) teams in prioritizing incident response efforts.

**Severity Distribution:**
*   **Severity 1 (High):** 71 distinct IP events.
*   **Severity 2 (Medium):** 6 distinct IP events.
*   **Severity 3 (Low/Informational):** 24 distinct IP events.

**Top Categories:**
1.  Attempted Administrator Privilege Gain: 65 events
2.  Generic Protocol Command Decode: 17 events
3.  Web Application Attack: 11 events
4.  Misc activity: 9 events
5.  Potentially Bad Traffic: 4 events

*Analysis:* The overwhelming majority of the categorized events are classified as "Attempted Administrator Privilege Gain" and are of High Severity (Severity 1). This confirms that the honeypot is not merely receiving background internet noise or misconfigured packets; it is under active, targeted assault by actors intending to achieve Remote Code Execution (RCE) and full system compromise.

### 2.5 Targeted Ports and Protocols

| Port | Count of Unique IPs Targeting | Associated Services |
| :--- | :--- | :--- |
| 80 | 21 | HTTP, Mirai IoT targets, Web Apps |
| 443 | 16 | HTTPS, Secure Web Apps |
| 8080 | 15 | HTTP Alternate, Web Proxies, Routers |
| 3000 | 9 | Node.js, Spring Framework instances |
| 23 | 7 | Telnet, Legacy IoT brute-forcing |
| 4443 | 6 | HTTPS Alternate |
| 8443 | 6 | HTTPS Alternate |
| 22 | 6 | SSH |

**Protocols:**
*   TCP: 68
*   IP-in-IP: 28
*   UDP: 24
*   ICMP: 6

*Analysis:* The heavy targeting of HTTP/HTTPS ports (80, 443, 8080) aligns with the web application attacks (Spring Framework, F5 BIG-IP) and IoT router administration panels (DrayTek, Linksys). The extraordinarily high prevalence of the **IP-in-IP** protocol (Protocol 4) is directly correlated with the scanning for CVE-2020-11900 [cite: 11].

---

## 3. Infrastructure Deep Dive

This section provides an exhaustive attribution and classification of the primary infrastructure components leveraged by the threat actors. The analysis segments the infrastructure into distinct operational paradigms: Offshore/Bulletproof Hosting, Cloud Provider Abuse, Regional VPS Hosting, and Tier 1 Transit manipulation.

### 3.1 Offshore and Bulletproof Hosting

Bulletproof hosting refers to infrastructure providers that systematically ignore abuse complaints, operate in jurisdictions with lax cybercrime laws, or actively cater to malicious actors.

**Alsycon B.V. (AS49870)**
Alsycon B.V. is a registered BGP network primarily associated with the Netherlands, though the threat data geographically maps a massive portion of its traffic to the Seychelles [cite: 12, 13]. The ASN peers extensively with major transit providers like Cogent and Hurricane Electric [cite: 14]. 
*   **Activity Profile:** In this dataset, Alsycon is responsible for 84.75% of the total alert volume. The primary recorded IP from the sample, `160.119.76.47`, was flagged for `GPL VOIP SIP INVITE message flooding` on port 5060.
*   **Reputation Analysis:** Threat intelligence databases confirm that IP `160.119.76.47` possesses a 100% confidence of abuse score on platforms like AbuseIPDB, having been reported hundreds of times for malicious activity [cite: 15]. The immense volume generated by this ASN strongly indicates its use as a dedicated platform for launching high-bandwidth Denial of Service (DoS) attacks, likely offered as a Booter/Stresser service on the dark web.

**Amarutu Technology Ltd (AS206264)**
Amarutu Technology is another offshore hosting provider registered in the Seychelles, advertising thousands of IPv4 addresses and operating a vast BGP network [cite: 13, 16, 17].
*   **Activity Profile:** The IP `89.42.231.182` mapped to Amarutu was observed executing Web Application Attacks, specifically targeting CVE-2024-38816 (Spring Framework Path Traversal) [cite: 5, 6].
*   **Reputation Analysis:** While some automated fraud detection systems rate Amarutu as a low fraud risk for standard web traffic [cite: 18], specific IPs within its ranges are frequently reported for abuse, including hosting malicious domains (e.g., koddos.net) [cite: 19, 20, 21]. The utilization of Amarutu for precise, vulnerability-specific scanning (Spring Framework) suggests it is used by more sophisticated actors conducting targeted reconnaissance.

### 3.2 Cloud Provider Abuse

Threat actors frequently create fraudulent accounts or compromise existing tenants within legitimate cloud platforms to leverage their high bandwidth and clean IP reputations.

**Oracle Corporation (AS31898)**
Oracle Cloud represents a major target for infrastructure abuse due to its highly accessible "Always Free" tier, which attackers reliably automate to spin up temporary attack nodes.
*   **Activity Profile:** IP `204.216.147.144`, geolocated to Vinhedo, São Paulo, Brazil [cite: 22], was responsible for 20 distinct events triggering high-severity alerts for `ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1` [cite: 9] and `ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515)`.
*   **Reputation Analysis:** External intelligence confirms this specific Oracle IP is highly active in the global threat landscape. It has been identified by researchers as part of a "Multi-Campaign Scanner" cluster utilizing standard Linux TCP stack fingerprints to launch broad payloads against varying vulnerabilities [cite: 23]. The use of Oracle Cloud allows the attacker to obscure their true origin behind a trusted enterprise ASN.

### 3.3 Regional VPS and Hosting Abuse

Virtual Private Servers (VPS) in European jurisdictions are commonly used as mid-tier operational nodes or Command and Control (C2) servers.

**Layer7 Networks GmbH (AS199912)**
Based in Germany, Layer7 Networks provides standard data center and hosting services [cite: 24, 25].
*   **Activity Profile:** The ASN was the second largest source of total alerts (40,888). The IP `185.55.240.152` was heavily active, repeatedly launching F5 BIG-IP TMUI RCE (CVE-2020-5902) [cite: 26] and DrayTek exploits.
*   **Reputation Analysis:** The high volume of focused exploit attempts indicates that a compromised host or a maliciously purchased VPS on Layer7 is operating as an autonomous exploitation node, likely part of an IoT botnet's expansion mechanism.

**Pfcloud UG (AS51396)**
A smaller hosting provider located in the Netherlands and Germany [cite: 27, 28].
*   **Activity Profile:** IPs `204.76.203.215` and `204.76.203.73` were observed launching Spring Framework FileSystemResource Path Traversal (CVE-2024-38816) attacks [cite: 5].
*   **Reputation Analysis:** Multiple IPs within the Pfcloud ASN possess 100% abuse confidence scores in public repositories [cite: 29]. Despite having an Acceptable Use Policy that expressly forbids malicious scripts and network abuse [cite: 30], the network is demonstrably utilized for active web vulnerability scanning.

### 3.4 Tier 1 Transit and Anomalous Scanning

**Hurricane Electric LLC (AS6939)**
Hurricane Electric is a massive Tier 1 global internet backbone provider. 
*   **Activity Profile:** A highly anomalous pattern emerged with 28 distinct IPs (e.g., `64.62.197.84`, `64.62.156.79`) registered to Hurricane Electric all triggering the exact same signature: `ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free` [cite: 1, 2].
*   **Reputation Analysis:** IPs in the `64.62.197.x` and `64.62.156.x` subnets have been historically flagged in various firewall blocklists and threat repositories for unauthorized scanning and SMTP abuse [cite: 29, 31, 32]. The highly coordinated nature of this scanning (dozens of IPs from the same /24 and /16 ranges launching identical, esoteric IP-in-IP payloads) strongly suggests a coordinated, distributed research scanner or a highly specialized botnet hunting for vulnerable embedded Treck TCP/IP stacks.

---

## 4. Malware and Vulnerability Analysis

While the STIX bundle did not provide captured file hashes, the specific behavioral signatures triggered by the Suricata IDS allow for a definitive analysis of the malware families and the specific Common Vulnerabilities and Exposures (CVEs) being weaponized against the NadSec infrastructure.

### 4.1 Mirai Variants and the EnemyBot Threat

The most ubiquitous botnet signature in the dataset is `ET SCAN Mirai Variant User-Agent (Inbound)`. Mirai is the foundational source code for modern IoT botnets, designed to compromise internet-facing Linux devices (routers, IP cameras, DVRs) to launch catastrophic Distributed Denial of Service (DDoS) attacks.

**Behavioral Analysis:**
The observed IPs (e.g., `45.88.110.97`, `110.37.78.200`, `222.127.53.189`) span diverse global ISPs, indicating they are compromised residential or enterprise edge devices operating as bots. These bots scan pseudo-randomly for other vulnerable devices.

**Evolution to EnemyBot:**
Modern threat groups, such as the well-resourced "Keksec" group, have evolved the original Mirai code into highly sophisticated variants like **EnemyBot** [cite: 10]. EnemyBot is notable for rapidly adopting "one-day" vulnerabilities into its scanning arsenal. 
The presence of `ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1` [cite: 9] in the dataset is highly indicative of EnemyBot activity. EnemyBot actively targets enterprise services, including the F5 BIG-IP TMUI and various Content Management Systems (CMS), moving beyond simple IoT telnet brute-forcing to sophisticated web application remote code execution [cite: 10]. The combination of Mirai User-Agent scanning and F5 TMUI exploitation across the dataset confirms the presence of these advanced, rapidly evolving botnet strains.

### 4.2 Deep Dive: Spring Framework Path Traversal (CVE-2024-38816)

The detection of `ET WEB_SPECIFIC_APPS Spring Framework FileSystemResource Path Traversal (CVE-2024-38816)` represents the exploitation of a highly modern, high-severity vulnerability [cite: 8, 33].

**Technical Breakdown:**
CVE-2024-38816 affects Spring applications utilizing the `WebMvc.fn` or `WebFlux.fn` functional web frameworks [cite: 5, 6]. The vulnerability occurs when the application serves static resources using `RouterFunctions` and explicitly configures resource handling with a `FileSystemResource` location [cite: 33, 34]. 

Due to a failure to properly sanitize external input, an attacker can craft a malicious HTTP request containing specialized path traversal sequences (e.g., "dot-dot-slash" `../` variations) to break out of the intended restricted directory [cite: 8, 34].

**Exploitation Impact:**
Successful exploitation allows the attacker to read arbitrary files on the host file system that the Spring application process has access to [cite: 6, 7]. This can result in the catastrophic disclosure of sensitive configuration files, environment variables, source code, and hardcoded authentication credentials, subsequently facilitating full system compromise or lateral movement within an enterprise network [cite: 6, 35].

### 4.3 Deep Dive: The Ripple20 Suite (CVE-2020-11900 & CVE-2020-11910)

A highly unusual and specific finding in this dataset is the intense scanning for vulnerabilities within the "Ripple20" suite. Ripple20 is a collection of 19 zero-day vulnerabilities discovered in the Treck TCP/IP stack, a lightweight networking library embedded in millions of IoT, medical, and industrial control devices globally [cite: 3, 36].

**CVE-2020-11900: IPv4 Tunneling Double Free** [cite: 1, 2]
*   **Mechanism:** This vulnerability is a Double Free memory corruption flaw (CWE-415) located within the IPv4 tunneling implementation of the Treck stack [cite: 1, 2, 37]. When the stack processes encapsulated IP-in-IP packets (IP Protocol 4), it improperly manages memory allocation, calling `free()` twice on the same memory address [cite: 1, 2].
*   **Impact:** Exploitation can lead to Remote Code Execution (RCE) or a Denial of Service (system crash) on the embedded device [cite: 38, 39].
*   **Detection Context:** The Suricata signature `ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free` (sid: 2030388) triggers on traffic utilizing `ip_proto:4` [cite: 11, 40]. Because legitimate IP-in-IP VPN traffic also uses Protocol 4, this rule can generate false positives in environments that heavily utilize IP-in-IP tunneling [cite: 11, 41]. However, in the context of a honeypot, the arrival of unsolicited IP-in-IP packets from Hurricane Electric subnets is a definitive indicator of malicious reconnaissance.

**CVE-2020-11910: ICMPv4 Out-of-Bounds Read** [cite: 3, 4]
*   **Mechanism:** This flaw involves insufficient bounds checking in the Treck stack's ICMPv4 packet processing routine [cite: 3, 4, 42]. An attacker sends a specially crafted, malformed ICMPv4 packet with manipulated length fields [cite: 3]. The system fails to validate the length field against the actual buffer size, causing the stack to read beyond the allocated memory boundaries [cite: 42, 43].
*   **Impact:** This results in an Out-of-Bounds Read, potentially exposing sensitive data located in adjacent memory segments, aiding in bypassing memory protections for subsequent exploitation [cite: 3].

### 4.4 Deep Dive: F5 BIG-IP TMUI RCE (CVE-2020-5902)

**Technical Breakdown:**
CVE-2020-5902 is a critical vulnerability located in the Traffic Management User Interface (TMUI) of F5 BIG-IP application delivery controllers [cite: 9, 26]. The vulnerability allows unauthenticated attackers (or authenticated users depending on configuration) to access the TMUI control panel.

**Exploitation Impact:**
Exploitation allows the attacker to execute arbitrary system commands, create or delete files, and execute arbitrary Java code, resulting in a complete, total system compromise of the load balancer [cite: 9, 44]. Because F5 devices often handle sensitive decryption and routing for entire enterprise networks, compromising this device is a "crown jewel" objective for advanced threat actors. The Suricata rule `ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1` actively monitors for requests attempting to bypass authentication via the `/tmui/login.jsp` URI path using specific byte sequences [cite: 26].

---

## 5. Campaign Analysis

By synthesizing the infrastructure mapping and the malware behavioral analysis, distinct threat campaigns targeting the Australian honeypot can be defined.

### 5.1 Campaign Alpha: Decentralized Mirai/EnemyBot Expansion
This campaign is characterized by the broad, geographically dispersed scanning on ports 80, 8080, 7574, and 5555. 
*   **Actors:** Compromised edge devices globally (e.g., India, Pakistan, China, Philippines).
*   **Objective:** To identify vulnerable Linux-based IoT devices and enterprise edge appliances (such as DrayTek routers and F5 BIG-IP systems) and force-feed them malicious shell scripts via command injection or RCE vulnerabilities.
*   **TTPs:** Utilizing known Mirai User-Agents and leveraging modern exploit chains (EnemyBot) to maximize infection success rates. The goal is to grow the botnet for future DDoS-for-hire operations.

### 5.2 Campaign Beta: The Ripple20 Treck Stack Hunters
This campaign is highly specific and anomalous.
*   **Actors:** A concentrated cluster of IPs originating almost exclusively from Hurricane Electric LLC (AS6939) in the United States.
*   **Objective:** To map the global internet for embedded industrial, medical, and networking devices still running unpatched versions of the Treck TCP/IP stack (pre-6.0.1.66) [cite: 4, 42, 43].
*   **TTPs:** Firing highly esoteric network protocols—specifically IP-in-IP encapsulation (Protocol 4) and anomalous ICMPv4 Path MTU Discovery packets—at random public IPs. This represents a highly sophisticated reconnaissance effort, likely conducted by an Advanced Persistent Threat (APT) group or a specialized research entity mapping critical infrastructure vulnerabilities.

### 5.3 Campaign Gamma: Modern Web Application Harvesters
This campaign focuses on data extraction and immediate server compromise via recently disclosed vulnerabilities.
*   **Actors:** Infrastructure provisioned on European VPS providers (Pfcloud UG, MEVSPACE) and offshore hosts (Amarutu Technology).
*   **Objective:** To exploit CVE-2024-38816 (Spring Framework) [cite: 5, 6] and CVE-2023-0126 (SonicWall Directory Traversal) to steal configuration files, database credentials, and cloud access tokens [cite: 6].
*   **TTPs:** Utilizing crafted HTTP GET requests containing directory traversal payloads against ports 3000, 4000, 8008, and 18789. The attackers rely on the relative recency of the Spring vulnerability (September 2024 disclosure) [cite: 33, 34], assuming many organizations have yet to patch their functional web frameworks [cite: 35].

### 5.4 Campaign Delta: Volumetric SIP Flooding
*   **Actors:** Infrastructure hosted at Alsycon B.V. (Seychelles/Netherlands) [cite: 12, 14].
*   **Objective:** Complete resource exhaustion of the target's VOIP or network infrastructure.
*   **TTPs:** Sending an overwhelming flood of UDP SIP INVITE messages to port 5060. This is indicative of a targeted "stress test" or a Booter service launching a DDoS attack, likely testing the honeypot's bandwidth limitations or attempting to disrupt simulated VOIP services.

---

## 6. Infrastructure Mapping and Attack Chain

The following attack chain documents the lifecycle of the intrusions observed against the NadSec infrastructure.

**Phase 1: Reconnaissance (The Scanning Phase)**
1.  **Distributed Nodes:** Mirai-infected IoT devices (e.g., `222.127.53.189` in the Philippines) continuously generate random IPv4 addresses and execute lightweight TCP SYN scans against target ports (80, 8080).
2.  **Centralized Scanners:** Cloud nodes (e.g., Oracle IP `204.216.147.144`) utilize automated tools (like Nuclei) to mass-scan IP blocks for specific exposed services (e.g., F5 TMUI login pages) [cite: 23].

**Phase 2: Weaponization & Delivery**
1.  **Payload Crafting:** Once an open port is detected, the attacker infrastructure delivers a specific payload. 
    *   For Spring Framework targets, the European VPS nodes send a crafted HTTP request with `../` sequences targeting the `FileSystemResource` [cite: 8, 34].
    *   For Treck TCP/IP targets, the Hurricane Electric nodes deliver a malformed IP-in-IP packet designed to trigger the double-free condition [cite: 1, 2].

**Phase 3: Exploitation**
1.  **Code Execution:** The vulnerability is triggered. In the case of the F5 BIG-IP (CVE-2020-5902), the attacker achieves unauthenticated command execution [cite: 9, 10].
2.  **Information Disclosure:** In the Spring Framework attack, the application returns the contents of `/etc/passwd` or application properties files to the attacker's VPS [cite: 6].

**Phase 4: Installation & Command and Control (C2)**
1.  **Dropper Execution:** For RCE exploits (F5, DrayTek, JAWS), the initial payload typically executes a `wget` or `curl` command to download a secondary payload (the botnet binary) from a malware hosting server (often hosted on bulletproof infrastructure like Amarutu or Layer7).
2.  **C2 Communication:** The newly infected honeypot (if it were vulnerable) would execute the binary, terminating existing competing malware processes, and establish an outbound connection to a centralized C2 server (often via IRC or a custom TCP protocol) to await DDoS instructions.

---

## 7. MITRE ATT&CK Mapping

The behaviors observed by the Suricata IDS perfectly map to several tactics and techniques defined in the MITRE ATT&CK Framework.

| Tactic | Technique ID | Technique Name | Context / Observation from Dataset |
| :--- | :--- | :--- | :--- |
| **Reconnaissance** | T1595.002 | Active Scanning: Vulnerability Scanning | Hurricane Electric IPs actively scanning for Treck TCP/IP vulnerabilities (Ripple20) via IP-in-IP and ICMP anomalies. |
| **Reconnaissance** | T1595.001 | Active Scanning: Scanning IP Blocks | Broad Mirai Variant User-Agent scanning across generic web and IoT ports globally. |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Exploitation of CVE-2024-38816 (Spring Framework) [cite: 5, 6], CVE-2020-5902 (F5 BIG-IP) [cite: 9], and DrayTek RCE vulnerabilities. |
| **Execution** | T1059.004 | Command and Scripting Interpreter: Unix Shell | Payload delivery for JAWS Webserver Unauthenticated Shell Command Execution attempts. |
| **Credential Access** | T1552.001 | Forged Web Credentials / Local File Inclusion | Use of Spring Framework Path Traversal to attempt reading local configuration files and environment variables for credentials [cite: 6]. |
| **Impact** | T1498.001 | Network Denial of Service: Direct Network Flood | High-volume SIP INVITE message flooding targeting port 5060 originating from Alsycon B.V. infrastructure [cite: 12, 14]. |
| **Impact** | T1499.004 | Endpoint Denial of Service: Application or System Exploitation | Exploitation of CVE-2020-11900 Double Free resulting in potential system crash of embedded Treck TCP/IP devices [cite: 1, 38]. |

---

## 8. Detection & Mitigation Strategies

Defending against the diverse array of threats observed requires a defense-in-depth approach, encompassing network edge filtering, application security updates, and robust SIEM monitoring.

### 8.1 Network Edge and Firewall Mitigation
*   **Geographic and ASN Blocking:** Given the lack of legitimate business justification for massive inbound traffic from Seychelles-based offshore hosting providers, organizations should strongly consider implementing Geo-IP blocking or ASN-based dropping for AS49870 (Alsycon) and AS206264 (Amarutu) on external firewalls.
*   **Protocol Filtering:** Unless explicitly required for enterprise VPN tunneling, **IP Protocol 4 (IP-in-IP)** should be dropped at the perimeter firewall to neutralize the Ripple20 CVE-2020-11900 scanning activity [cite: 11].
*   **Rate Limiting:** Implement strict rate limiting on UDP port 5060 to mitigate SIP INVITE flooding attacks.

### 8.2 Application and Endpoint Mitigation
*   **Patch Management:**
    *   **Spring Framework:** Immediately upgrade Spring Framework to versions 6.1.13 or newer, or 6.0.24 to mitigate CVE-2024-38816 [cite: 5, 8]. If patching is impossible, enabling the Spring Security HTTP Firewall or switching the underlying web server to Tomcat or Jetty will block the malicious path traversal requests [cite: 33, 35].
    *   **F5 BIG-IP:** Ensure all F5 devices are updated to patched firmware versions addressing CVE-2020-5902. Furthermore, the Management interface and Self IPs must never be exposed to the public internet [cite: 9].
    *   **IoT Devices:** Isolate legacy IoT devices and printers (which frequently utilize the Treck TCP/IP stack) on segmented VLANs with strict outbound access controls to prevent botnet recruitment and Ripple20 exploitation.

### 8.3 SIEM Queries and Log Analysis
Security teams should implement the following logic in their SIEM (Splunk, Elastic, Sentinel) to detect anomalous behavior:

*   **Detecting Spring Traversal Attempts:**
    ```sql
    index=web_proxy OR index=firewall 
    | search (uri_path="*../*" OR uri_path="*%2e%2e%2f*") AND (dest_port=3000 OR dest_port=8080 OR dest_port=443)
    | stats count by src_ip, uri_path, status_code
    | where status_code=200
    ```
    *(Note: A status code 200 on a directory traversal payload indicates successful exploitation and file retrieval).*

*   **Detecting Cloud Abuse Scanners:**
    ```sql
    index=firewall src_asn="AS31898" OR src_asn="AS199912"
    | stats dc(dest_port) as port_count, count by src_ip
    | where port_count > 10 AND count > 50
    ```

### 8.4 Suricata / Snort Signatures
Ensure the IDS sensor is updated with the latest Emerging Threats (ET) rulesets [cite: 45, 46]. Critical SIDs to ensure are enabled and set to "Drop" (if operating in IPS mode) include:
*   `sid:2056315` - ET WEB_SPECIFIC_APPS Spring Framework FileSystemResource Path Traversal (CVE-2024-38816) [cite: 45]
*   `sid:2030388` - ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free [cite: 11, 40, 41, 46]
*   `sid:2030390` - ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 Path MTU Discovery [cite: 46]
*   `sid:2030469` - ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1 [cite: 9, 10]

---

## 9. IOC Appendix

The following table provides a detailed contextual analysis of the highly active IP addresses identified in the sample dataset. *(Note: 0 file hashes and 0 URLs were present in the source sample; therefore, analysis relies strictly on IP-based behavioral telemetrics).*

| IP Address | ASN & Org | Country | Primary Threat Activity | Context & Analysis |
| :--- | :--- | :--- | :--- | :--- |
| `160.119.76.47` | AS49870 (Alsycon B.V.) | SC (Seychelles) | SIP INVITE Flooding | Identified as a severe abuser (100% confidence on AbuseIPDB) [cite: 15]. Responsible for immense volume of DoS traffic [cite: 12, 47]. |
| `185.55.240.152` | AS199912 (Layer7 Networks) | DE (Germany) | F5 TMUI & DrayTek RCE | European VPS node actively launching enterprise-grade exploit payloads [cite: 9, 24]. Indicates EnemyBot or similar advanced botnet activity. |
| `204.216.147.144` | AS31898 (Oracle Corp) | BR (Brazil) | F5 TMUI & DrayTek RCE | Abused cloud infrastructure [cite: 22]. Known "Multi-Campaign Scanner" utilizing standard Linux fingerprints to map and exploit vulnerabilities en masse [cite: 23, 48, 49]. |
| `89.42.231.182` | AS206264 (Amarutu Technology) | NL (Netherlands) | Spring Path Traversal | Offshore hosting node exploiting CVE-2024-38816 [cite: 5, 6]. Highlights the use of bulletproof networks for modern web app exploitation [cite: 18, 50]. |
| `193.34.212.9` | AS201814 (MEVSPACE) | PL (Poland) | Spring Path Traversal | European VPS targeting ports 4000/4443 with Spring traversal payloads [cite: 5]. |
| `204.76.203.215` | AS51396 (Pfcloud UG) | NL (Netherlands) | Spring Path Traversal | Hosting node exploiting modern web frameworks [cite: 27, 28]. |
| `64.62.197.84` (and 20+ similar IPs) | AS6939 (Hurricane Electric) | US (United States) | Ripple20 Double-Free | Part of a massive, coordinated block of IPs originating from HE hammering IP-in-IP (Protocol 4) to exploit Treck TCP/IP stacks [cite: 1, 31, 32]. |
| `213.152.161.50` | AS49453 (Global Layer B.V.) | NL (Netherlands) | Ripple20 ICMP Anomaly | Targeting CVE-2020-11910 via anomalous ICMP Path MTU Discovery packets [cite: 3, 4]. |
| `8.210.16.217` | AS45102 (Alibaba US Tech) | HK (Hong Kong) | JAWS RCE & Mirai | Cloud node running dual campaigns: exploiting JAWS webservers and scanning for Mirai IoT targets. |
| `45.88.110.97` | AS44486 (SYNLINQ) | DE (Germany) | Mirai Variant Scanning | Typical compromised host exhibiting aggressive, decentralized Mirai inbound scanning. |
| `1.34.85.243` | AS3462 (Data Comm Business) | TW (Taiwan) | VXWORKS Urgent11 RCE | Targeting highly specific embedded real-time operating systems (RTOS) flaws. |
| `194.250.243.43` | AS3215 (Orange) | FR (France) | Adenau Shellcode | Detected delivering executable shellcode on port 135 (DCOM/RPC), indicating Windows-centric exploitation attempts. |

---

## 10. Sources & Citations

The following sources were utilized to provide technical, geographical, and historical context for the vulnerabilities and infrastructure analyzed in this report:

1. [cite: 5, 6] CVE-2024-38816: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource. 
2. [cite: 7, 8] SentinelOne & HeroDevs: Technical details regarding Spring Framework WebMvc.fn and WebFlux.fn path traversal.
3. [cite: 33, 34] Spring Security Official Advisory & CVE Details: CVE-2024-38816 mitigations and HTTP Firewall implementation.
4. [cite: 3, 4] SentinelOne & NVD: CVE-2020-11910 Out-of-bounds Read in Treck TCP/IP stack (Ripple20).
5. [cite: 1, 2] SentinelOne & CVE Details: CVE-2020-11900 Double Free vulnerability affecting IPv4 tunneling in Treck TCP/IP stack.
6. [cite: 3, 4] Rapid7 & Strobes: Attack vector and EPSS probability scoring for Ripple20 vulnerabilities.
7. [cite: 11, 40, 46] Emerging Threats & Suricata Community: Analysis of Rule sid:2030388 and the implications of IP-in-IP (Protocol 4) monitoring.
8. [cite: 9, 26] CIRCL & Canadian Centre for Cyber Security: Active exploitation of F5 BIG-IP TMUI (CVE-2020-5902).
9. [cite: 10] LevelBlue Labs: Threat analysis of the "EnemyBot" malware and the Keksec threat group incorporating F5 and VMware vulnerabilities.
10. [cite: 12, 14] BGP.tools & IP2Location: ASN topology and routing policies for Alsycon B.V. (AS49870).
11. [cite: 15, 47] AbuseIPDB: Abuse reports and confidence scoring for Alsycon IP 160.119.76.47.
12. [cite: 22, 23, 48, 49] IPinfo & GreyNoise Labs: Intelligence regarding Oracle Cloud (AS31898) IP 204.216.147.144 and its association with "Multi-Campaign Scanners".
13. [cite: 24, 25] PeeringDB & RIPE: Layer7 Networks GmbH (AS199912) organizational and abuse contact records.
14. [cite: 27, 28] AbuseIPDB: Historical abuse monitoring for Pfcloud UG (AS51396).
15. [cite: 18, 50] Phish Report & Scamalytics: Amarutu Technology Ltd (AS206264) fraud risk analysis and offshore routing behavior.
16. [cite: 31, 32] GitHub Gists & Spam Blacklists: Historical SMTP and scanning abuse linked to Hurricane Electric 64.62.x.x subnets.
17. [cite: 45, 46] Emerging Threats: Ruleset update summaries confirming the deployment of detection logic for CVE-2024-38816 and Ripple20.

**Sources:**
1. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQER1We54YMDOvDFuNdnWEu1UdvE6Wk1wQ7-hFo2l-V5Kgb2iL6D9A6nCHcHblqPUUUCGefTWaOIxjh4wmdsogF7fc1PTYfn0zDdfE2YPtUViJZPDn_-fOWJoUx5mbxriO3_5CtOKmZbIb71xB1skt2aFpWm4UplKHU=)
2. [cvedetails.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF_lCXvjJMYhJmgBFfV1-ZpJqyIFLbzsB93zcd-XL7sTzKiQYjTrvxLJSmiK6yJ36_1MgN3mDiRhZoYQXhh3bZs6Lfqor23KYIwH0t9m8sb1MMdKXQYRlg8LnL88KUnQtiV9aZS)
3. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGEt5ptnHxhthyWoPQhN4og2DolAW0qXpP_hJ8g7VNMJZjPmAjbGxnsi22tZivdk_MXmk25dtZXsqEs79rwwb4MZKMtZ6L-XuCxWMtS2_KlKBrZXm7KJVYlD83BON-Y27paLPAI77Q1krCwEAmzCzGNyWkdsaguw20=)
4. [nist.gov](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFvxoU-KKTUDni1B3r-5g606HR99boQ-05LrKhdSN5kEzcQG6ui_hHOPQI2pOdkSfaIpieMki47UvBhvXCjyVgyLGfDgYx2ne4754Jj6iqgayOKmqe0HcDSYsoKPvnYW_8GeWs2aQ==)
5. [tuxcare.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE7XkpxK19T_PsmBsiQD7S8nkej4DTguh7ddWZzGgMfzkIiVM2b31FK8OjvYF7LwgnpW1fY5q3kkUbVx8xAvLFUSsutE-zYA3DftWLYMbZ8_cRlmF1RrluUpzRvw6F-dUVMSGe7FOYQB0VxuTM=)
6. [redhat.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFyHn7Yeydj18M3ovHzEM9voWMfzatjGemqdeMi9XqpekIxwBdi5-vHoMFq2ouRAWphtTOZAACEM7HdkbnjzdypL4Sj0mVATKJL4tejwzWzukkBbUswEqoQQjmOAzNHzS1yAle1DyL5x-JAaA==)
7. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFCxyIqkiIRhlqS4xZHWw-7t3mPmJHO0uHlqESEbp7ZoZVq5L9CmMuPnh3EoNqG31wuP5K8vK-XlQCFYVk7PkGo0dpxa0D_FaaF2Ts4MZdO8NLV5lUk77TVNbDUYnpUelac7zHeh-fAr97fb0DyHsPofVpZpzIv0tI=)
8. [herodevs.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGSAcxiSFqIFmCXnpqrD_RDAsptPEwqSMV7fKpanpVIYIOP2JvSKO9R_eFzmFUo2uKYKoqgVKs27dBEYOj0Bnij5qtaHrZxbBCth7AVHwKYB6iE7YsK1-MNSSdBZLHeT3djVg8Rk2zTWlI4pRfBLNOkC6X1w4o=)
9. [cyber.gc.ca](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHKSnie6tVV3P7mVtBkGTrlpU2-4Yb3zdwQwDakhgvT2e0AqnOgZXIXdD_bn-f2l_mn-23NL3iuBK3kH_wsb9kqRlXk1TOL42Moecmqcy-Tol8t6PktQdWm40P5I8F9zjQu1RJR22upMD0OcAklcYK-1yNbiEgFnVURpTCUTkGHmyvgIQ==)
10. [levelblue.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGa2HBvQ0T5--cZpL97GzTEpIpQcVCtmh9HNiEzDgfyv9hcstAlpA34PG5rs5I8PkoaT2BwcBN5FW8MSdivJem0AAH7Pb6yZ7DBezfd1Nh4maKUILf2UCK5lQfOpccSDLPBZI9K3Sa27LCXwgekTpKDPYgTTxZfO76rdpP9PjhApadz5d814X3AqO5rczmPq-pXqcD94n-ZkUNDZs_Q9_NX88U5cX9QFQGO_hGIZoueB2XhwQDeQWNsEmixhA==)
11. [stackexchange.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHi8C8Va13o2nCfhIwwtKx84UfnyVVOtOPhGq_dg2k87xGmn99QzHMht5Zwwtc5pYv01xH0XxXwx6kng3FSpBZKlbLkCjZ6a5Oyth5xTS2cHBBk7jFEiRlGaoombuJYGPSwkMHdNSNdnKlx5u3_q3ekftuNtlalWxQvlbKZqVuvU1eYLitHoLHw_oO7DXHXyvXXglNTG8no0NM2ad6jt1elk2_p3Lff)
12. [ip2location.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE6nVC0P24D0MUQ4DGXuJ-eCNEd1IB7DnC7hHxsa7X7j2gjvx12nuCzbcxzfn5ywV-M-bFXh2opxA5b0qxwe2T57MGxiWJ_OO-UJZ0gylVolozgFsoeLEbwCQ==)
13. [ip2location.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGmEserg926IFNr52sd_LvVx7c2H_38FXf78yS_dVlvQiABlnjsrO_2_VL2jGXERl7vvsGU4pgJlV27hFtivn-sLyVbdNQQ5WFunKk6JjEhhxnnWY6lXZAcZdo=)
14. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGmHu9jBsBT8siRX2k6qyX37b4HeLj3rzuEKjCDzy_f_xL4uFPfK3U0Nq4CIwDUml4XflmcJvs02Ly4YaiP_9wNPg5YM0CT0ULP8R4X38vxEw==)
15. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH5zx-9eJ1lDP0IAvwvxh4xQBaX8IWiK_hcDhSZmFbrmvE5W6t32wtn7xyqiCoy14EPzuH2wipJp1MfJ5_5zjfSEBveiGCKsthhNXEiPPXwPlRuk27yWFwcCrz8XVt5IbJXq8A=)
16. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEbc2tE1Lvd3hj5bN78nLFphg5gvfvYAtGN2dIsp0w-4z8YnObYDRRn-hmoPkMDIc7v23ap-V7je9prhG40pd-i2xlSKQFBubO0rFQqtdTb33E=)
17. [ipregistry.co](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE-ciHNsknSdXyyk1M0EzGXQSo38bAcOokPiSCJ2B9hCcDgSbhpCC5dFdOSShxRwfXpiWRDtD-N5L26Wzb7dVbx3gWYcVObNu39LOqx3rQu395SFbM=)
18. [scamalytics.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQElPJ0awLfWfCnKwQwiEFwNism1peVIfcAvC11fe9HZXfDOHxexemi9SXDRAzCTlhLXPy-z2v32xp_SW8gCuCFmrLgu91vjvWvQOIX8664QUby4hjjFVD5lsD1gk6Kvyy23OwVy3q_YwuXXYw==)
19. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGIQQ6OwAGzmqb0J0T4bUIiR3ehwupzytudODzdRet9NFSIMsEsjvLEobkmoh8gHkqgUkA_E9Rm70-cl_SvxL9m9Sne18bsy8vdoHlTU-0Y_pM7LjC8VW2r2gXcryUIZ_GBPQ==)
20. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHB4zI7HSBR_pcbRY0LZogK_xa5kat2n80L6FGtalA0tS5xQxI6YSjA6TxoztYYTrS9dakV5ElaXWsTCHoiviq33H_tu3_iu3Okx00Nti4jzgdwRn-a_n_MA5rTGzOEirfg)
21. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEZDse3lGzowtIr980QI81VX5hPEgDX1FHwTea7K4zqIsidgg07sj0Ngysvcfm3JbHB4uTTFXK1yJpjCaLpVAVzC8SclYmO6RnldGbX3gUtESf5K4KxniRMhk1AQse0Wkz8m0NY)
22. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE06KsDre-f7oGEcsjJ7MXpNsz9i59uzC-bc6-RYmUAPXOF216SybNtQjwGU7NK_D2_Pjb6mL8h2ucTD93KSWQGBNKPPBX3DXbweFV5nZrmqZiKQOUJe2Q=)
23. [greynoise.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFP9a1vAR0ABVk7wU7RSuzNSAGoiMSbCTJH3O73qVBOK9kSEXhag8Dwc8OAYDpK4F-O6HmmNwYYzzQT1PdV2WqWsO68u2LdunNlLL0uHQrJv_PMCby2_lWfNQJsARpqadl5yU71BRz_2U20YdTzSxcG56CLcisMSY2KUAk=)
24. [ipshu.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGjahSTnJnOFTF66X65wPyYdq2AZAk_-my0hBRb6MciTzXsixfJo079Hplzi-JAz_JAcGVaDAcb6JMkJoPAksngc6qgvkNlSXO16VQ6cJidA4iyIZZ3)
25. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGMyQ9QqI4TYseFxHlh1bBWUAHwQbcMxUNEicQZ2OyRM99ClP7JJfQlzmeCILY_p5QFXgLIJdF3Yrovor2l-9vMWprM3_0-ntifBou_rks7emlDbXIAIThGHKFv7jI=)
26. [circl.lu](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGNSS_ebjTJSlSaBRLls8cHnRF9Kqv1lwFzTpW7utY8QbbGOATDcLrIV8UxGjLuxV8jCOIB6_HnIXGZRWANUuB03rsPobhUTLOCH_Qn5Vk-iYGpn6_BIMaysnY9Uw==)
27. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGDpkmwgMXd4fGbMnSVEWgmwXX2tY_l99sDmFJ_USHy49w4DGj-4qpbpZbpYWT-WpfuqX1lhuTk7_G63mXtJ2672PZ_362pxgafxmYfb_0l04-lv9x6XiqtbWxN5ENjX5SR94fwTacgHC2oJg==)
28. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGmLpefBmgaeAdt3Xxww0MG_mGJRjSA-wUA1F-xY6asvXC71whRONrdeR33NP0VKaNigf5gaVWNSssl8xaVF6WV_PkUo4tV91f2qYos8X5AxUhLActSJnUrq7_iAc5rLHyE4A==)
29. [abuseipdb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE0QuVzs9VYy6UeXjnxnXwGBPoi2i0MduNHKC2yHcM7neuKpIrU8l7tKOMjlBF5-I_Q63cGDvTO-_MUw3A9hd6O76H5MyTgxFG0N-BB4KZd43dRL4cm-b7r0dB2uvPqc1PdeT4=)
30. [pfcloud.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEbE5X0qHonYKZQV6Y39xKZrQ9CFf1nr2im4b0FLUg9BMpAbsd8N_rBeIRjFMKxGVXcz7dexU8rDxRxVVyG3AiP2SSSs4au4iQvKGGnPUPs5ke6RWITvYz-Y9lsTcPb1yA7rDLSgiqjhJVEHpTIlZP7PzGD86edQ7w=)
31. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFSa3HajePp-no9IXvXvR_gXhW_qMYGeWK9EWs-yVn0z9sJeEhk6jfQDgD3tBSj3HyGfq-0O_yEJ7Bs8055ESKcEnRIGnRjsUeV-Kj_P8ii5kN5wfadbMJuD1stYHsOJnmIelXWmyoGHuLWYgUq6HOhXFyEeVmxfgkG-TpHkgNUkLbImnxVB9wZx0v5Y-9ZfNgcNg==)
32. [infinityfreeapp.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEUxi0CacG_yF7JrdT4BgYoSBZUSQ2P75iUANPLs9zNYlNgl4j2NAYpZVCl6WqDUF-2EnPZZ8VvUwM0SNkiQ_GWd-51I2-mY592_E_FwL6Lu5KEjFwYf4v5la0q1Qwoyj4E_duDsZMjw_MxvdVllPCwHWJF)
33. [spring.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEmacNcoOyPsyemumUMUWCjqj-l69rGn6iG3qZi9YNmnA7ewaFsb2tgQ7sMh9EgPnZI294gMAPKY51pCwOqL5J0kbyNcA63JSflGhkp-EMqT5oYm7z1u4nf7it15vlgg1c=)
34. [cvedetails.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFAgzUrQ1Kt-KxdrioksDM-pfONKRQ6xFcgIZGc0wafyPRnCUcHfZ4JOX6QSAFhVr6t8wq7QKOywCV_rWTovyA8vf-WWtSAhup1qQxfGHbKaDfFj5qQvd80OwtYTGB3JsUAwNS_)
35. [reddit.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFR_r5gPz1EMJy0IQ0dHCvSHL2p0LIR-I8fqXSJKnvnikKKCi27llIbtwImjTx5gfWIQyUwMJ2RDJXOFhdyg9E5c9m3Was_F9Mb9lrSh7eJNU51qmt0sBwhsUGCtkeZ3GS4ZNQrIFcCW8X3s_CFzz7eN66WNR091pp_tCuRvYaanzCb1kWTHFLdkgwuX9Fe6kmV5c9p)
36. [cisco.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEzVLf3Ils3lOFdeLLn0bWUKnlGuxbzhZXm8W0SfUDaiKi2HjhRWhEx_H0evJbDF4bIPHR7WFFQ8m7mSUUyamQaCEya7lUx4e4MZPEFwTktRaeo32WC8fFgAmoNIWhU2jFI5afM1LOV7RVJZ25C6mpeuWZhsndDH1nyUUMIdFT0lxA-5MLyonVBviw=)
37. [rapid7.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEkYKx0OIAvvyM76dgGeVXuJHgW01sNkiwkQ1YeQ-d7BSS_i5AClQf0NfRWKPLSk-l2cw6zx4mEKjAdLhxyp-j0hJb0Zu1Uockyvb-DRrfVjdEr-fRcwLUYYQZz7N-CdaqCJYxD2pcIf0Bj83o06uKu5Z0_oWtX)
38. [cve.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEIDeZ_iAEB3HIvq-mnQPmHp6UGKHv-kalRPK0YPjHgvGYCC8zU1oUTgjCfTrD_fxIOmlSewNW36jZSuWiNvUaW3jLKbY4ZhL-U_wwqlwlh4B2donHWm65JNyynYKm1rZBU6D6SRg==)
39. [tenable.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEthtOyj-ep6c9hTfD5hOCDzqHkSL0_OhNkIjV21XNRAJ7rX58Q6ffKLqpP9fLKiNjcACdVO63WGJl3rR2ntoj6rbYMmR5WPMm_tTsTL0bNmwDK_J7FHFFX8jhHVbvYgzE=)
40. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFQp3lIPuecx1cbCxdW_TtTIluqCpX94IG9sMA69GmUPmz6zaYEdySfP_cetrwKJ_RKtYP9c5Thf8945d0GvDx8m9vcXwmMbj4ydHcBPBQUltSesOQ7g2bp2Ec0BRm_ZqI2R3VDqLuPlWbEPSzE5D5Zc1pyK081K9s2FV4y1mjcYCyySw==)
41. [tencent.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFXSNJbO8q3cnUjCu-Wy4y-LDZwsFYrKo-W64FC7qpXxjKaT1hAHYEpW2XIeJh2o07JXzPy4aFNlb6F7x8gFLAhRpCi75D9G4eORQ7UnaOCysuO2LgIZEcaNTKc6mFKhg24WHePuMfa35KSTw==)
42. [rapid7.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFEmz6sAc0jaWVSfF7k7zSjkMdLHTznmOI_DqR_cSOv1t9Uqw43WIAlOjEcnmDdQqQn5oOHhRXlalqz-5dcgoF2-fqJP8Hsaqnng0Ly3YxbNyTfhhot_gjB2Q4RWxeEmJlLZnRZTpNBvkTV83i8_c4XJYa8Mtfd5v024Tw=)
43. [strobes.co](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEcQx0MIPClskTeLpik5fSZJrmuJTuxxJKgNt_79DlPmAAzOICompEEETv0IX_DrbhtGoI3gatrIEq7h4hU1MXgb7sEye032s_7ENyLjsKY02_QaQ8kolYgkFsstjFA)
44. [cyber.gc.ca](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHKJQzx5KkJbzAt0bJWjk9rRbD14ALA6UG4Eh5SZYSOKYxIoxpi86hgjTiq22jTkDdPEvmgrU996gkLAxBcBZ1OscIAeogRb673qg1ioJXy0OlUO74QoxNXWJvUPONEv6nAyraAOupx9SYG5DrxTIazMjZFvaRhhlgOGJBRnNM6kLYBCgtNRYGGRMKDsXrn6DJj4fc4MfcW_Inuo-LC6BdrZPQ=)
45. [emergingthreats.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFKuXp-jk2qRzsvrvmL_LT-X0JvS-9zmIKHMDl84K-cUDRt-zC80TSI29fAk8DrO2mnWowGoHjhiyzPX2PkOOM6kT66GPFjNiAjSKGgm8sbg1oHiNQDkXVaUMMCG2qZ6YNMjUtvwg0KzLBG4ertQ_VE4Co3OfKLWVy-RJ1p8GjkVfvD2JH1LnrBcB4B)
46. [emergingthreats.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFkdmXpVuQFxOQV3Jy5JNGzuqFQcFtWJXHr59fKzoKphGKjdlQEiqbTpT8neSsC7daiwHo2MET_xXP5enljzPgsKo_4KAP2TQ8nri2lsTgfbPztzggJtZzKU_NBNRGyXaloKksYP9LJls5RGFzaMfMZ87RZOXVsBUcvWqLMWjCKMBBxuizWqHrRyhuG)
47. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHVO2Uwdz23ShsNWyt_eZsFogU7gHTDEtt995o2TsVqxMOoWqLkxq6S7T76LKO9vSHg40Is6Y1KnYTr87hL0U2C_5-ZCCA87MXaRM5c5HENMhfvLt6m5kqAeXWj)
48. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHCyL9FDa6aGqO8cBX9Rze8Aqf2Sg6AnH4WKg1-0sutjAU4T-MTzuhEpp6Z4Ud1pBoz7rMFf1cF8vg7r4PIi6EeIJaYNjIlafiZ-cDLmqpeGqt-pv27F6YUc-erIltOvA==)
49. [mastodon.social](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH1hCH4QBM5sNzm2zjw4RKa4C_vfg42v71nup0yPeaZs7iEI9AZhKjf1HWmHQOuc_zYD4-DEd0K1RW2XMkEVfYdw4jGSxtDFHMDW5M6NNB9qsQ9CGPYxRv_jlQSPiP-CjXGVueZuTBnRBXk)
50. [phish.report](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEW38ZrQHxezcgDd90lqvs-bmOjWiebDFPeiy1BYevCC_ZVwzWhImRdFnKQB8s56kpyJ1cqTtmA2x0NKl9Dryie6gjs18LkbpTdytLocEslIPXoUqANre0OSsROz9EoQS8liknD_04=)