U.S. Govt Released Advisory on how Iranian APT Group Obtained Voter Registration Data

The CISA (Cybersecurity and Infrastructure Security Agency) has recently released a joint cybersecurity advisory on comprehensive, advanced persistent threat (APT) activity along with the Federal Bureau of Investigation (FBI).

The FBI has shared indicators of compromise (IOCs), which are linked with the Iranian state-sponsored cybercrime group that targeted the democratic voters. The report also claimed that this threat actor are also responsible for voter intimidation emails.

However, the U.S. Govt. has claimed that Iran has been sending emails to U.S. voters to frighten them at the polls. That’s why the U.S. issued a warning on Wednesday after voters in Alaska, Arizona, and Florida disclosed that they are also receiving emails with the subject line “Vote Trump or Else.” 

Technical Details

Between September 20 and September 28, 2020, the threat actors have scanned the state websites to cover the state election websites with the Acunetix vulnerability scanner’s help. According to the CISA and FBI, Acunetix is a broadly used and reliable web scanner, and hackers are using this scanner for all kinds of wicked purposes.  

However, the hackers have tried to exploit websites to get copies of voter registration data from September 29 and October 17, 2020. 

FBI and CISA affirmed that this exploitation includes all known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging novel flaws in websites. 

Besides this, the FBI has also analyzed the case of the Iranian APT actor and has identified that they target U.S. elections’ infrastructure.

The threat actors have also used the IP addresses and the IP ranges within a related timeframe. All these include various virtual private network (VPN) service exit nodes, as this correlated to this Iran APT actor.

Information Researched by Threat Actors

According to the FBI report, the threat actors have researched the following information:-

  • YOURLS exploit
  • Bypassing ModSecurity Web Application Firewall
  • Detecting Web Application Firewalls
  • SQLmap tool

CISA’s summary has recognized that the threat actors have scanned various items and objects by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020. The companies can easily recognize the Acunetix scanning activity by utilizing the following keywords while conducting the log analysis:-

  • $acunetix
  • acunetix_wvs_security_test

IPs used 

  • 102.129.239[.]185 (Acunetix Scanning)
  • 143.244.38[.]60 (Acunetix Scanning and cURL requests)
  • 45.139.49[.]228 (Acunetix Scanning)
  • 156.146.54[.]90 (Acunetix Scanning)
  • 109.202.111[.]236 (cURL requests)
  • 185.77.248[.]17 (cURL requests)
  • 217.138.211[.]249 (cURL requests)
  • 217.146.82[.]207 (cURL requests)
  • 37.235.103[.]85 (cURL requests)
  • 37.235.98[.]64 (cURL requests)
  • 70.32.5[.]96 (cURL requests)
  • 70.32.6[.]20 (cURL requests)
  • 70.32.6[.]8 (cURL requests)
  • 70.32.6[.]97 (cURL requests)
  • 70.32.6[.]98 (cURL requests)
  • 77.243.191[.]21 (cURL requests and FDM+3.x (Free Download Manager v3) enumeration/iteration)
  • 92.223.89[.]73 (cURL requests)

Mitigations

  • Always verify the input as a method of sanitizing untrusted information presented by web app users.
  • Remember to audit your network for systems utilizing the Remote Desktop Protocol (RDP) and other internet-facing services.
  • Always check the cloud-based virtual machine cases with a public IP, and bypass using open RDP ports.
  • Always use strong passwords and account lockout methods.
  • Always implement multi-factor authentication. 
  • Assure the third parties that need RDP access to follow internal remote access methods.
  • Control and limit external to internal RDP connections.
  • Remember to have all the applications and systems updated and well patched.
  • Always scan web applications for SQL injection.
  • Use a web application firewall.
  • Rectify all significant web application security risks. 
  • Use various techniques to guard against web shells.

The Russian state-backed APT threat group, which was identified as Energetic Bear, has stolen data from breached U.S. government networks during the last two months.

Moreover, the FBI also published another report earlier this week regarding the hackers stealing data from U.S. government agencies and enterprise organizations through insecure SonarQube instances.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Also Read: Iranian APT Group Hacked Security Conference Attendees

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.