Hi,

 The Special feed of Shadowserver was dedicated to reports on SocGholish Compromised WordPress sites a few days ago and https://github.com/The-Shadowserver-Foundation/report_schema/tree/main/intelmq.json was updated accordingly. Today's reports contained a few more optional fields that were caught by our checker, namely,

extra.account
extra.estimated_server_first_seen_time,
extra.estimated_server_last_seen_time
extra.machine_name

 Will intelmq.json be updated to reflect this change? The two extra.estimated_* are probably thought of as replacements to the initial extra.first_seen_time and extra.last_seen_time.

 Maybe it would make sense to define a feed of its own for this instead of using Special. Especially if we expect to see remnant cases of SocGholish later.

 And if this is in fact a problem of our checker, my apologies, please let me know. There's so much hallucination going on these days so it would not be a surprise.

Br, Mika





The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately.  For information on how we process personal data and our contact information, please see CSC's website: Privacy

Tämän sähköpostin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkilön tai yhteisön käyttöön, jolle ne on osoitettu. Jos et ole viestissä tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta välittömästi viestin lähettäjälle. Tietoja henkilötietojen ja yhteystietojen käsittelystä löydät CSC:n verkkosivuilta: Tietosuoja