Author: Christopher Kim

TLP:WHITE

 

1. Executive Summary

On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.¹

From 20 to 28 September, the APT used a tool named Acunetix to scan state election websites for known web vulnerabilities. The actors used these vulnerabilities to exploit websites and steal voter registration data between 29 September and 17 October. CISA and the FBI confirm that the actors successfully obtained voter registration data in at least one state.

2. Analysis

                 2.1.  Reconnaissance

According to the advisory, the Iranian APT searched state voter websites for publicly available PDF documents by querying URLs with the words: vote, voter, or registration. The FBI also found information indicating that the actors researched the following topics to extend their capabilities for vulnerability identification and exploitation:

• YOURLS exploit
• Bypassing ModSecurity Web Application Firewall
• Detecting Web Application Firewalls
• SQLmap tool

                 2.2.  Web Vulnerability Scanning

Between 20 and 28 September, the APT actors attempted SQL injections across multiple state election websites by using the web vulnerability scanner Acunetix. This is a legitimate scanner often used by security engineers for security and compliance auditing. The actors used this tool to insert data into various fields in the /registration/registration/details resource path on the web server. CISA analysts discovered 3 different web browser user agents associated with the scanning and observed the following requests:

2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 – x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 – 200 0 0 0 2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 – x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 – 200 0 0 1375 2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 – X.X.x.x

                 2.3.  Data Exfiltration

Between 29 September and 17 October, the APT sent several hundred thousand HTTP GET queries to web resources that hold voter registration data. The threat actor used the cURL command-line tool and free download manager (FDM) user agents to send the requests, as well as modified the request parameters by iterating through voter identification values as shown below.

2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 – x.x.x.x curl/7.55.1 – 200 0 0 1406 2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 – x.x.x.x curl/7.55.1 – 200 0 0 1390 2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 – x.x.x.x curl/7.55.1 – 200 0 0 1625 2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 – x.x.x.x curl/7.55.1 – 200 0 0 1390

3.  Prevention and Mitigation

CISA and the FBI recommend the following actions for detecting, preventing and mitigating similar malicious activities described in this report.

                 3.1.  Detecting Acunetix

Organizations that rarely use the Acunetix tool should monitor logs for any indication of the program’s activity. The following keywords can help organizations identify Acunetix during log analysis:

• $acunetix
• acunetix_wvs_security_test

                 3.2.  Other Recommendations

• Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by protecting against security flaws in web applications. The types of attacks this could help prevent include SQL injection, cross site scripting (XSS), and command injection.
• Audit the organization’s network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
• Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
• Enable strong password requirements and account lockout policies to defend against brute-force attacks.
• Apply multi-factor authentication when possible.
• Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.
• Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
• When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
• Ensure third parties that require RDP access follow internal remote access policies.
• Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
• Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPN. However, recognize the security of the VPNs match the security of the connected devices.
• Use security features provided by social media platforms; use strong passwords, change passwords frequently, and use a different password for each social media account.
• See CISA’s Tip on Best Practices for Securing Election Systems for more information.

4. Indicators of Compromise

Disclaimer: Many of the following IPs used in the scanning and exploit activity are part of publicly available VPN services. Users should thoroughly investigate the following IPs for false positives before adding them to a security service’s block list since they are also available to legitimate paying users.

Indicator	Description
102[.]129[.]239[.]185 143[.]244[.]38[.]60 45[.]139[.]49[.]228 156[.]146[.]54[.]90	Acunetix scanner IPs
109[.]202[.]111[.]236 185[.]77[.]248[.]17 217[.]138[.]211[.]249 217[.]146[.]82[.]207 37[.]235[.]103[.]85 37[.]235[.]98[.]64 70[.]32[.]5[.]96 70[.]32[.]6[.]20 70[.]32[.]6[.]8 70[.]32[.]6[.]97 70[.]32[.]6[.]98 92[.]223[.]89[.]73	cURL requests
77[.]243[.]191[.]21	IP used to retrieve voter registration via cURL and FDM
195[.]181[.]170[.]244 102[.]129[.]239[.]185 104[.]206[.]13[.]27 154[.]16[.]93[.]125 185[.]191[.]207[.]169 185[.]191[.]207[.]52 194[.]127[.]172[.]98 194[.]35[.]233[.]83 198[.]147[.]23[.]147 198[.]16[.]66[.]139 212[.]102[.]45[.]3 212[.]102[.]45[.]58 31[.]168[.]98[.]73 37[.]120[.]204[.]156 5[.]160[.]253[.]50 5[.]253[.]204[.]74 64[.]44[.]81[.]68 84[.]17[.]45[.]218 89[.]187[.]182[.]106 89[.]187[.]182[.]111 89[.]34[.]98[.]114 89[.]44[.]201[.]211	IPs used to spread voter intimidation emails

Endnotes

1. https://us-cert.cisa.gov/ncas/alerts/aa20-304a