Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

The one big thing 

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

Why do I care? 

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

So now what? 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

Top security headlines of the week 

Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East. The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it. New research findings indicate that groups like BianLian and Rhysida use Microsoft’s Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them. This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

Can’t get enough Talos? 

Despite Russia warnings, Western critical infrastructure remains unprepared The Cybersecurity Cat-And-Mouse Game DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

Upcoming events where you can find Talos

VB2024 (Oct. 2 – 4) 

Dublin, Ireland 

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59 
MD5: 3b100bdcd61bb1da816cd7eaf9ef13ba 
Typical Filename: vt-upload-C6In1 
Claimed Product: N/A  
Detection Name: Backdoor:KillAV-tpd  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: RF.Talos.80 

SHA 256: 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668 
MD5: 49d35332a1c6fefae1d31a581a66ab46 
Typical Filename: 49d35332a1c6fefae1d31a581a66ab46.virus 
Claimed Product: N/A   
Detection Name: W32.Auto:70ff63.in03.Talos 

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66 
MD5: 8b84d61bf3ffec822e2daf4a3665308c 
Typical Filename: RemComSvc.exe 
Claimed Product: N/A 
Detection Name: W32.3A2EA65FAE-95.SBX.TG 

SHA 256: 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c 
MD5: fab8aabfdabe44c9a1ffa779fda207db 
Typical Filename: ACenter.exe 
Claimed Product: Aranda AGENT 
Detection Name: Win.Trojan.Generic::tg.talos  

Cisco Talos Blog – ​Read More

The trend of using spearphishing techniques in mass emails continues to gain momentum. We recently came across a sample email in which attackers used a whole box of relatively sophisticated spearphishing tricks. Now, one might think that use of such tactics for a “mere” mass phishing attack would be somewhat OTT in terms of effort on the attackers’ side; not so – it transpired in this case: the attackers still gave it a shot (though detailed analysis reveals the attack was doomed from the start). In any case, it presented us with an excellent opportunity to take a dive into the techniques employed by phishers.

Email mimicking update of corporate guidelines

Almost everything about the email is spot on. It’s addressed to a specific individual within a specific organization, and uses ghost spoofing for the sender’s name — that is, the “From” field displays a forgery of the legitimate address of the target company (which, of course, has no relation to the address in the “Reply To” field).

The email is sent through the infrastructure of a reputable marketing company, raising no red flags with email filters. What’s more, the name of this company and the top-level domain hosting its website are deliberately chosen to lull the recipient’s vigilance — the website’s based in Indonesia, and the victim may well perceive the “.id” domain as an abbreviation for “identifier” rather than a country code. Alongside the spoofed address in the “From” field, it looks convincing enough:

But that’s not all. In the email body there’s practically zero text — only a copyright line and an unsubscribe link (both of which, as it happens, are inserted by the mail engine of the legitimate company used to send the message). Everything else, including the recipient’s name, is an image. This is to prevent anti-phishing mechanisms from applying text-based filtering rules.

An attached PDF file is used instead of a direct phishing link for the same reason. Websites can easily be blacklisted and blocked at the mail-server level. A PDF file, on the other hand, appears as a completely legitimate attachment.

PDF attachment

In actual fact, attackers have long been concealing links in PDF files. Thus, in theory, security software should be able to analyze a PDF — including any text and links within. But the creators of this phishing campaign were wise to that as well. Their PDF technically has no text or links in it whatsoever. Instead, it presents another image featuring a QR code and embedded accompanying text.

In addition, the PDF mimics the interface of DocuSign, a well-known service used for electronic document management. DocuSign does indeed allow you to send documents for signing, and to track their status. But, of course, it has nothing to do with PDF files housing a QR code.

At this point, it becomes painfully obvious that the attackers overcooked the attack. The victim receives what seems to be confidential corporate guidelines by email, but to read them they need to scan a QR code with a mobile phone… — not exactly realistic. Most employees won’t bother — especially if they use their own (non-corporate) phone.

Epic fail: the phishing website

So what happens if the victim does pull out their phone and scan the code? Well, for starters, they’ll be greeted by Cloudflare’s verification system and asked to prove they’re human. Cloudflare is a legitimate service to guard against DDoS attacks, and cybercriminals like to put their phishing pages behind it to add plausibility.

But after that it’s a disaster. The website plays an animation of an envelope opening, then crashes with an error message.

It appears the attackers forgot to renew their subscription to the hosting services. Maybe the site had some more kooky tricks in store for the victim, but by the time the phishing emails were being pumped out, it was already defunct.

How to stay safe

To protect company employees from phishing:

Secure corporate email at the mail-gateway level.
Use local security solutions with anti-phishing technologies on all work devices (including mobile ones).
Inform employees of the latest phishing tricks (for example, by pointing them toward our posts regarding signs of phishing).
Hold regular cybersecurity awareness training for staff.

Kaspersky official blog – ​Read More