IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards.
The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It tells sysadmins to monitor logs for escalations of privileges, unusual SQL errors indicating injection attacks, and directory traversal attempts, such as:
GET /Login//..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd GET /Login//../../../../../../../../etc/passwd
The alert reads:
In late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor.
The IP addresses used in the infiltration belong to virtual servers hosted by Bulgaria's Fortunix Networks, Illian in the Netherlands, and Russia's King Networks: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199.
"It was an eye opener," one senior law enforcement official told Yahoo! News. "We believe it's kind of serious, and we're investigating."
The June SQLi attack targeted the Illinois Board of Elections, and was used to swipe the personal data of 200,000 citizens, according to Ken Menzel, the general counsel of the Illinois Board of Elections. The database was taken offline for 10 days to fix the vulnerabilities exploited to gain access.
For what it's worth, as in many US states, in Illinois you can buy copies of the electoral register, which has every voter's personal record in it – so it's likely whatever the hackers gained was already public information. However, the next cyber-break-in could tamper with people's details rather than swipe them, or use a compromised database as a stepping stone to more important systems.
Menzel said he had been told by the FBI that "foreign hackers" compromised systems and that there was a "possible link" with the attack against the Democratic National Committee servers, which is believed by some to have been carried out by Russian state actors.
The other attack, carried out in August and believed to be against Arizona, was less successful but still concerning to the FBI.
Before anyone panics, it looks likely that this was a simple attack to steal personal information, rather than an attempt to change the course of the election. While the hacking of voting machines is a major concern, particularly in states that don't give paper receipts for votes, these are separate from the Election Board data.
Nevertheless, on August 15, Homeland Security Secretary Jeh Johnson had a conference call with state election officials, warning them to be on their guard against online attack. Johnson said that officials should take care that voting machines weren't connected to the internet and were fully patched against flaws. He pledged help for state officials in securing their systems, including having the DHS send specially trained staff to help. ®