The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory that warns government agencies and elections organizations to be wary of cyberattacks that chain together attacks against multiple known vulnerabilities. This commonly used tactic, known as vulnerability chaining, seeks to exploit multiple vulnerabilities within a single intrusion in a way that distract cybersecurity teams from the primary effort to install more lethal malware that might be activated at a later date.
The advanced persistent threats (APTs) identified by CISA appear be aimed at support systems that employed as part of the election process. CISA is warning that a compromise of those systems could potentially result in malware finding its way on to an actual election system. CISA reports as yet there is no evidence that the integrity of elections data has been compromised.
Elections are administered by the individual states and the systems used to tally these votes have been the subject of cyberattacks from as early as 2016. In a Rage book recently published by Bob Woodward, it has been reported that two counties in Florida had electoral systems compromised. However, it’s not clear if any data was altered.
The CISA reports it has observed (APT) attacks exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability (CVE-2020-1472) that has been recently discovered in Windows Netlogon. CISA notes that some of these attacks are also using known vulnerabilities to compromise Microsoft Active Directory (AD) identity services and virtual private networks (VPNs) based on the Remote Desktop Protocol (RDP.
IT teams are advised to review internet-facing infrastructure for these and other known vulnerabilities involving secure socket (SSL) protocols, mobile computing devices, software-defined wide area networks (SD-WANs) and firewalls.
In the final weeks running up to the election it would appear cybersecurity is once again going to be a national issue. SecurityScorecard issued a report this week that gave 75% of the states a rating of “C” or lower for election security. The U.S. Congress has not allocated additional funds for election security and officials responsible for election security in the Trump administration are now only briefing select members of the Congress about election security in the wake of a whistle blower complaint that alleges previous reports downplayed interference from Russia.
Previously, some states have leaned on the cybersecurity expertise of their National Guard units to shore up local officials that tend to have a lot of cybersecurity expertise. Unlike a professional IT security services firm, the expertise provided by National Guard units is available at a price point many states feel that can afford.
Political infighting aside, it’s clear there’s plenty of opportunity for improving election security. If there is no air gap between election systems and other IT platforms data could prove to more vulnerable than politicians from either party fully appreciate. The challenge now is to make sure a cybersecurity issues doesn’t taint an election process that is already likely to be the subject of innumerable lawsuits.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.