10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.
The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.
The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.
Click here for a PDF version of this report.
These actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)ânotably CVE-2020-5902 and CVE-2017-9248âpertaining to virtual private networks (VPNs) and content management systems (CMSs).
Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.
The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:
tinyurl
, bit.ly
).Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These âN-dayâ exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defenderâs patch cycle.[3] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[4]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.
Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[5] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.
Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.
Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[6] Malicious cyber actors often deploy web shellsâsoftware that can enable remote administrationâon a victimâs web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.
Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[7] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[8] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.
First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[9],[10],[11]
It may take time for your organizationâs IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organizationâs essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.
To report an intrusion and to request incident response resources or technical assistance, contact CISA ([email protected] or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBIâs Cyber Division ([email protected] or 855-292-3937).
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBIâs 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].
[1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
[2] Progress Telerik details for CVE-2017-9248
[3] NSA "NSAâS Top Ten Cybersecurity Mitigation Strategies
[5] NSA âDefending Against the Exploitation of SQL Vulnerabilities to Compromise a Networkâ
[6] NSA & ASD âCyberSecurity Information: Detect and Prevent Web Shell Malwareâ
[7] CISA: Identifying and Protecting High Value Assets: A Closer Look at Governance Needs for HVAs:
[8] NSA âNSAâS Top Ten Cybersecurity Mitigation Strategiesâ
[9] NSA âBuilding Web Applications â Security for Developersâ:
[11] 2020 CWE Top 25 Most Dangerous Software Weaknesses
October 22, 2020: Initial Version
www.fbi.gov/contact-us/field
apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm
apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm
apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm
apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm
cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
ic3.gov/Media/Y2020/PSA200922
ic3.gov/Media/Y2020/PSA200924
ic3.gov/Media/Y2020/PSA201002
media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
nvd.nist.gov/vuln/detail/CVE-2017-9248
nvd.nist.gov/vuln/detail/CVE-2017-9248
nvd.nist.gov/vuln/detail/CVE-2020-5902
nvd.nist.gov/vuln/detail/CVE-2020-5902
owasp.org/www-project-dependency-check/
owasp.org/www-project-dependency-check/
owasp.org/www-project-top-ten/
owasp.org/www-project-top-ten/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.f5.com/csp/article/K52145254
support.f5.com/csp/article/K52145254
support.f5.com/csp/article/K52145254
twitter.com/CISAgov
twitter.com/intent/tweet?text=Iranian%20Advanced%20Persistent%20Threat%20Actors%20Threaten%20Election-Related%20Systems+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b
us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs
us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
us-cert.cisa.gov/ncas/tips/ST04-014
us-cert.cisa.gov/ncas/tips/ST16-001
us-cert.cisa.gov/ncas/tips/ST18-001
us-cert.cisa.gov/ncas/tips/ST18-006
us-cert.cisa.gov/ncas/tips/ST19-002
us-cert.cisa.gov/ncas/tips/ST19-002
www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b&title=Iranian%20Advanced%20Persistent%20Threat%20Actors%20Threaten%20Election-Related%20Systems
www.ic3.gov/Media/Y2020/PSA200928
www.ic3.gov/Media/Y2020/PSA200930
www.ic3.gov/Media/Y2020/PSA201001
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b
www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf
www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf
www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf
www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b
www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Iranian%20Advanced%20Persistent%20Threat%20Actors%20Threaten%20Election-Related%20Systems&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-296b
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.976 High
EPSS
Percentile
100.0%