An FBI memo citing information released by MS-ISAC (Multi-State Information Sharing Analysis Center) says that foreign actors are using common scanning tools to locate vulnerable election systems. There is evidence to suggest, but not conclusively prove, that at least two incidents are connected to these scans.
The Amber TLP memo, which was leaked to the press, is a need-to-know memo circulated by the FBI. The source of the leak isn't known.
The leaked memo focuses on information shared by MS-ISAC concerning the July 2016 data breach at a state election website. Further, the memo goes on to say that a second attempt was made in August 2016 on a separate election website. While the targeted election websites are not named, evidence suggests that the memo is referencing the incidents in Illinois and Arizona.
From the memo:
In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
In late June, early-July, the Arizona Secretary of State's office closed down the state's voter registration system after someone compromised valid credentials and used them to access the system.
Shortly after that incident, on July 12, someone exploited the Illinois Voter Registration System (IVRS). According to Ken Menzel, the general counsel for the Illinois board of elections, the attackers were able to exploit "a chink in the armor in one small data field in the online registration system."
In a message posted to Facebook [ARCHIVE], said to be written by Kyle Thomas, director of the election board’s voting and registration systems division, the IVRS compromise was a direct result of an SQL Injection attack. In all, the records for up to 200,000 voters were accessed.
"The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity," the message posted to Facebook explained.
"They were able to retrieve a number of voter records. We are in the process of determining the exact number of voter records and specific names of all individuals affected."
According to the details shared by MS-ISAC in the FBI memo, the recorded attacks were carried out with common tools from VPS hosting accounts located in the Netherlands (illian networks), Russia (King Servers), and Bulgaria (HostZealot).
The IP addresses are below.
Fortunix Networks – d/b/a HostZealot (Bulgaria)
King Servers (UK Datacenter)
King Servers (Anguilla Datacenter)
- 188.8.131.52 - edwardsimpson.clientshostname.com
- 184.108.40.206 - josefwheeler.clientshostname.com
- 220.127.116.11 - billycollins.clientshostname.com
- 18.104.22.168 - jacksoncole.clientshostname.com
Illian networks (DuoCast)
While speculation is that a foreign actor has been targeting the voter databases, none of the recorded IP addresses discovered after the attacks / scans are conclusive proof of such theory. Someone in the U.S. could easily leverage such services and tools. Each logged provider offers a range of hosting options including VPS and VPN hosting.
Still, it's a good idea to flag these IP addresses if you are working in an environment that is in any way connected to the election cycle.
As mentioned, the memo spends some time talking about the tools used during the attacks. All of them are COTS (common of the shelf) tools that are available for download anywhere SQL Injection is being discussed.
Based on the recorded logs on the targeted server, the attackers are using the default tool settings. The Acunetix scanner was looking for test files ("wvstest=") in one case, which made the log standout to investigators. The SQLMap and DIRBuster applications were detected via user agent strings.
"GET /acunetix-wvs-test-for-some-inexistent-file - 443"
"GET /status.aspx DLIDNumber=1';DROP TABLE sqlmapoutput"
"Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.7;+en-US;+rv:22.214.171.124)+ Gecko/20100316+Firefox/3.6.2 200 0 0 421"
"DirBuster-1.0- RC1+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project> )"
The image below contains other IOCs listed by the memo.
So as things stand, what have we learned from the memo?
Those clued-in to the incidents already knew that SQL Injection was the likely cause of attack, as anyone familiar with the process could read between the lines when it came to the public statements.
The notion that attackers would use public VPS / VPN providers is also a common trick, so the actual identity of the attacker remains a mystery. Likewise, the use of common SQL Injection scanners isn't a big shock either.
The interesting takeaway in all of this is that a somewhat sensitive memo was leaked to the press. The source of the leak remains unknown, but flash memos coded to any severity other than Green rarely wind-up in the public eye. Doing so almost certainly sees access to such information revoked in the future.
And yet, there is nothing overly sensitive about the IOCs contained in this memo. The public was already aware of the attacks, and those in the industry were certain that something like SQL Injection was a possible factor. All this does is prove their hunches correct.
As for the attribution, that's mostly fluff and hype, often used to push an agenda. Those working in the trenches rarely care about the Who, they're more interested in What and How, so they can fix things and get the business back to operational status.
MS-ISAC discloses 3rd voting-related attack
This evening Michael Kan, who covers the security beat for IDG News, broke the story of a third voter-related attack.
According to Brian Calkin, vice president of operations for the Center of Internet Security, which runs MS-ISAC, this third incident happened in June. Someone sent a Phishing email to an election official that contained a key logging software. The malware enabled the attacker to compromise the official's credentials.
"This gave the hackers administrative privileges to modify voter registration records in the county. If the records had been deleted, the affected citizens wouldn’t have been able to vote, Calkin said on Monday. Fortunately, the attack was detected and no records had been found altered."