Skip to main content

New Release, Enhanced Search Features, New API and More!

Today we are announcing changes and the addition of features to our site. We are happy introduce first and last timestamps per data source, tags, a new results UI, AS lookups and version 2.0 of the API. Below is an example of the additional fields and tags that are that are returned for an IP address search:


When searching for an Autonomous System (AS), which requires authentication, the response contains similar first and last seen timestamps, but also a tag if the AS is frequently abused. Pagination exists for larger numbers of results and each page of 25 IP addresses will consume one API quota credit:


Version 2.0 of the API has also been overhauled to include first and last timestamps, geolocation information, and AS information in the response, none of which were included in API version 1.0.


POST /api/getip response (version 1.0)



POST /api/v2/getip
 response (version 2.0)

API version 1.0 will not cease to exist. We will continue monitor the use of the version 1.0 endpoint (/api/getip) and may deprecate it in the future.

API queries, bulksearches and extended search queries such as AS lookups have been folded into a single search quota. IP address searches are still available while unauthenticated and are subject to rate limits like before. New users will still be given 1,000 credits for free during registration. To the extent users require additional credits, we now offer paid options via a Stripe payment page. You will notice under the Account page that there are options to purchase additional credits. The buttons will link to an external Stripe payment page:


Upon completion of the Stripe payment, you will be redirected back to your account page that will reflect your updated quota.

To the extent that you are interested in additional query quota for research or academic purposes, please email info@sicehice.com with your name, LinkedIn profile, an overview of your project, and your intended search usage. Additional quota can be granted for free on a case-by-case basis. 

Comments

Popular posts from this blog

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st . Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework. One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromi...

Pivoting on a Phone Theft Ring

One of our affiliates recently had an iPhone stolen while on vacation. It goes without saying, once the phone has been turned off and you can't see it in Apple's Find My, best of luck getting it back. One of the issues with stealing an iPhone is the iCloud Activation Lock. When you enable Find My, the device is linked to your iCloud account and you must manually disable it before the phone can be transferred to another person.  A few days after the phone was stolen, the new phone received an SMS phishing message with the following URL: hxxps://lcoud.com-1pr7[.]us/?id=XXXXX In our instance, we had a five-digit ID number that started with the number 8. We began to attempt iterations of the 5-digit ID and sure enough, we got a valid HTTP 200 response on the first attempt: When navigating to the resolving IP, we noted there was a wildcard certificate in place for a bunch of other domains: Stepping back, let’s look at the root domain of the original phishing page, com-1pr7.us . The...

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways.  During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet.  Scenario 1: Network Scanner Resulting in Abuse Complaint A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows: Figure 1: Abuse Complaint Received It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to...