The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert to warn that an Iranian threat actor recently accessed voter registration data.
The warning comes roughly one week after the United States revealed that the same adversary targeted Democratic voters in multiple states with emails seeking to intimidate them into voting for President Donald Trump.
In the previous alert, CISA and the FBI noted that the Iranian hackers targeted known vulnerabilities in virtual private network (VPN) products and content management systems (CMSs), including CVE-2020-5902 (code execution in F5 BIG-IP) and CVE-2017-9248 (XSS in Telerik UI).
Now, the two agencies reveal that the legitimate vulnerability scanner Acunetix was employed by the hackers in their endeavor, and that stolen data was used to send intimidation emails in at least four different states.
“CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election,” the alert reads.
Between September 29 and October 17, the adversary launched attacks on U.S. state websites, including election websites, to access voter information, CISA and the FBI say.
Observed activity includes exploitation of known vulnerabilities, the use of web shells, and the abuse of web application bugs.
“CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records,” CISA and the FBI say.
The two agencies also note that not all of the observed activity could be attributed to the same Iranian threat actor (which posed as the hate group Proud Boys), but did not share details on other threat groups involved in election targeting.
According to the alert, the Iran-based adversary used open-source queries to access PDF documents from state voter sites and also researched specific information to leverage in their exploitation attempts, namely the YOURLS exploit, bypassing the ModSecurity web application firewall, detecting web application firewalls, and an SQLmap tool.
To stay protected, the two agencies say, organizations should make sure their applications and systems are always up to date, that known vulnerabilities are identified and addressed, firewalls and other protections are implemented, and that two-factor authentication is used.
Related: US Officials Link Iran to Emails Meant to Intimidate Voters
Related: U.S. Voter Data Traded on Hacker Forums: Researchers
Related: Misconfigured Database Exposes Details of 191 Million Voters