From the “we better be paying attention to this” department comes Google’s recent Mandiant report that lists a dozen different ways cyber threat actors can influence elections. From the executive summary:
- The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections.
- Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.
- When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.
- Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.
- Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google’s Advanced Protection Program to protect high-risk accounts.
Madison Horn (OK-5) Congressional Candidate had this comment:
In the recent Mandiant report by Google, a range of cyber threats to elections is detailed, but the proliferation of mis- and disinformation campaigns stands out as particularly alarming. These campaigns, which meticulously erode trust in governmental institutions and corrupt democratic processes, pose a severe threat that transcends political lines and demands immediate action.
Driven by motives ranging from shifting electoral outcomes to undermining public confidence and generating profit, these disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran. Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 U.S. election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity.
The avenues for these campaigns are primarily popular social media platforms—X, Telegram, Facebook—and YouTube, making the digital battlefield as accessible as it is dangerous. The consequences are profound, resulting in increased voter disengagement, the rise of unqualified leaders, and the destabilization of nations.
This is an urgent security issue that cannot be politicized. The integrity of our democracy is in jeopardy, making it imperative that we elect officials who grasp the complexity of these modern challenges. We need leaders who are committed to implementing robust cybersecurity measures, enhancing digital literacy, and fostering international cooperation to counteract the pervasive influence of state-sponsored disinformation. Our response must be swift and resolute to safeguard our democratic processes.
My opinion is that we all need to be paying attention to this and acting on this report to make sure that elections regardless of where they are are conducted in a free and fair manner without interference. The thing that concerns me is that we live in such a partisan environment at the moment that this could become a partisan issue. And it shouldn’t be regardless wherever on the political spectrum you happen to be on.
Cisco Warns Of State Sponsored Attacks On Their Networking Gear…. YIKES!
Posted in Commentary with tags Cisco on April 27, 2024 by itnerdFrom the “OMFG this is HUGE!” department comes this warning from networking gear company Cisco. In short, their gear along with other vendors gear are being attacked by state sponsored actors:
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.
Cisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature. Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns with their Cisco Adaptive Security Appliances (ASA). PSIRT and Talos came together to launch an investigation to assist the customer. During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor.
UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
The reason why this is huge is that Cisco is by far the number one vendor of networking gear. Thus it perhaps isn’t shocking that they will be the number one target for threat actors wanting to find vulnerabilities to exploit. Yes, this warning makes mention of “network devices from other vendors”, but what that means is that everyone regardless of whether they use Cisco gear or not should be very, very concerned.
Now this warning has some mitigation steps that Cisco customers and others should read:
Working with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which we detail below. Customers are strongly advised to follow the guidance published in the security advisories discussed below.
Further, network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — Microsoft Exchange servers and network devices from other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and are configured to have strong, multi-factor authentication (MFA). Additional recommendations specific to Cisco are available here.
Thus this is a great time to patch all the things and implement some sort of MFA or paswordless authentication system to protect yourself. Because this is a today problem which requires a today solution to avoid getting pwned by whomever this threat actor is.
Leave a comment »