Talk of election security is good, but we still need more money to solve the problem
Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election.
Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day.
It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.
As with many things in politics and life, though, there is still an issue of money.
Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.
Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.
“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.”
Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016.
At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002.
One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.
JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding.
So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money.
The one big thing
Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API.
Why do I care?
AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution.
So now what?
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Top security headlines of the week
Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East. The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC)
Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it. New research findings indicate that groups like BianLian and Rhysida use Microsoft’s Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH)
Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them. This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence)
Can’t get enough Talos?
Despite Russia warnings, Western critical infrastructure remains unprepared The Cybersecurity Cat-And-Mouse Game DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites
Upcoming events where you can find Talos
VB2024 (Oct. 2 – 4)
Dublin, Ireland
MITRE ATT&CKcon 5.0 (Oct. 22 – 23)
McLean, Virginia and Virtual
Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.
misecCON (Nov. 22)
Lansing, Michigan
Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59
MD5: 3b100bdcd61bb1da816cd7eaf9ef13ba
Typical Filename: vt-upload-C6In1
Claimed Product: N/A
Detection Name: Backdoor:KillAV-tpd
SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: RF.Talos.80
SHA 256: 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668
MD5: 49d35332a1c6fefae1d31a581a66ab46
Typical Filename: 49d35332a1c6fefae1d31a581a66ab46.virus
Claimed Product: N/A
Detection Name: W32.Auto:70ff63.in03.Talos
SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66
MD5: 8b84d61bf3ffec822e2daf4a3665308c
Typical Filename: RemComSvc.exe
Claimed Product: N/A
Detection Name: W32.3A2EA65FAE-95.SBX.TG
SHA 256: 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c
MD5: fab8aabfdabe44c9a1ffa779fda207db
Typical Filename: ACenter.exe
Claimed Product: Aranda AGENT
Detection Name: Win.Trojan.Generic::tg.talos
Cisco Talos Blog – Read More