Source: securityboulevard.com β Author: Nathan Eddy Failure to properly configure authentication led to malicious actors exploiting the database backups of Airsoftc3.com, a popular Airsoft enthusiast community site, according to Cybernews researchers, who discovered the breach in December. The breach exposed sensitive user data, affecting approximately 75,000 individuals within the community involved with Airsoft, a team-based [β¦]
Source: securityboulevard.com β Author: Alexa Sander We recently hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity Technician at Hawkins School District in Tennessee, for a live webinar. Michael and Kobe volunteered to share with other K-12 tech pros how important cybersecurity and safety monitoring are for Google Workspace, [β¦]
Source: securityboulevard.com β Author: Matthew Rosenquist This year, virtual CISOs must begin making a difference in our industry.Β For the longest time, small and medium businesses (SMBs) have been abandoned by the cybersecurity industry.Β But, SMBs need security leaders to guide them through the maze of cyber risk and craft practical strategies that align with [β¦]
We recently hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity Technician at Hawkins School District in Tennessee, for a live webinar. Michael and Kobe volunteered to share with other K-12 tech pros how important cybersecurity and safety monitoring are for Google Workspace, Microsoft 365, and online browsing. They [β¦]
Failure to configure authentication allowed malicious actors to exploit Airsoftc3.com's database, exposing the sensitive data of a vast number of the gaming site's users.
Source: www.techrepublic.com β Author: Fiona Jackson It is taking less time for organisations to detect attackers in their environment, a report by Mandiant Consulting, a part of Google Cloud, has found. This suggests that companies are strengthening their security posture. The M-Trends 2024 report also highlighted that the top targeted industries of 2023 were financial [β¦]
This year, virtual CISOs must begin making a difference in our industry.Β For the longest time, small and medium businesses (SMBs) have been abandoned by the cybersecurity industry.Β But, SMBs need security leaders to guide them through the maze of cyber risk and craft practical strategies that align with their unique ever-evolving business objectives.
Sadly, SMBs cannot afford an experienced full-time CISO.Β They often either ignore the risks or get lured into purchasing shiny tools that do not meet their overall needs.Β Before spending money on security solutions, it's crucial to understand the risks and develop clear objectives that support the overall business goals.
This is the role of a CISO: to set the direction and establish cybersecurity program foundations that will meet the expectations of the Board and C-suite.
However, there are not enough CISOs to go around which creates a high premium on their time.Β Hiring a CISO can cost hundreds of thousands of dollars, which is far beyond what most SMBs are willing to commit.Β But they donβt actually need a full-time CISO.Β An hour or two may be perfect for guidance, leadership, and strategy development.Β This is where the fractional/virtual CISOs (vCISO) community can play a role!
Experienced CISOs often have a few hours extra per week and yearn to take on new challenges, as long as it does not impact their day job.Β Many retiring CISOs still have the itch to contribute, but donβt want to commit the long hours of managing all the operations and details.Β They would rather leverage their experience to provide guidance and help organizations avoid costly pitfalls.
It becomes a perfect fit.
Experienced leaders offer guidance at a fraction of the cost, with short-term contracts keeping commitments flexible. Everyone wins.
vCISOs can provide leadership without being tied to the demanding operational aspects.Β By dedicating a few hours a week, vCISOs help SMBs benefit from experienced cyber risk leadership with direction, focus, and an understanding of the evolving risks.Β SMBs can then make informed business decisions that properly account for cybersecurity factors.Β The practical benefits include effective prioritization and efficient allocation of resources for an optimized cybersecurity posture, based upon their unique needs.
There are risks in the vCISO market.Β Two things to watch out for:
First, beware of vCISO services offered by security vendors masquerading as impartial advisors.Β In many cases, this is just a ploy to get customers to buy the parent companyβs products or services.Β These people are effectively used as a sales channel and incentivized to convince SMBs to purchase their wares.Β They arenβt necessarily looking out for their clientsβ best interests.Β Instead, seek out vendor-agnostic vCISOs that will work with what you have and align recommendations to your actual needs.
Second, many will assert themselves as seasoned cybersecurity leaders, but in actuality, lack the practical experience needed to be a successful vCISO.Β Letβs be clear, a vCISO is NOT an entry-level job.Β Rather it is the opposite.
An experienced cybersecurity leader can quickly understand the major risks and business needs, develop a customized set of strategic plans for a specific organization, and communicate effectively to executives so they may rapidly understand and make well-informed decisions.Β vCISOs must be vetted properly to make sure they can deliver quality results in very limited timeframes.Β Otherwise, it will be money wasted!
If you are interested in exploring how vCISOs can help businesses, sectors, or various audiences, reach out to me directly orvisit my website.Β We must purposefully work to support the SMB community.Β Let's join forces to make this year a turning point in fortifying SMBs and bolstering their digital security and competitiveness!
As businesses continue to adopt container technologies such as Docker and Kubernetes for their deployment efficiency and scalability, they also face a growing challengeβsecuring these environments. Container security is still a developing field, with many organizations just beginning to understand the extent and effectiveness of necessary security controls.
Every organization has its own combination of cyber risks, including endpoints, internet-connected devices, apps, employees, third-party vendors, and more. Year after year, the risks continue to grow more complex and new threats emerge as threat actors become more sophisticated and the use of artificial intelligence aids their efforts. Thereβs not much an individual organization can...
Path traversal vulnerabilities, or directory traversal, are now subject to a government advisory for obligatory consideration We live in an environment where digital infrastructure is increasingly fundamental to business operations across all business sectors, and the security of software products is a paramount concern. The FBI and CISA (Cybersecurity and Infrastructure Security Agency) have recently...
VAPT testing tools are a vital part of any organizationβs approach to proactively strengthen cyber security posture. The pentest tools help in digital security, using a variety of methods to identify and report these vulnerabilities in all of your systems, and applications.Β Β With the help of pentest tools, which include penetration testing suites, automated vulnerability [β¦]
Source: securityboulevard.com β Author: Nik Hewitt Path traversal vulnerabilities, or directory traversal, are now subject to a government advisory for obligatory consideration We live in an environment where digital infrastructure is increasingly fundamental to business operations across all business sectors, and the security of software products is a paramount concern. The FBI and CISA (Cybersecurity [β¦]
Source: securityboulevard.com β Author: Wajahat Raja Recent reports have highlighted that the notorious FIN7 cybercrime group has targeted the U.S. automotive industry through a sophisticated spear-phishing campaign. Employing a familiar weapon, the Carbanak backdoor (also known as Anunak), they aimed to infiltrate systems and compromise sensitive data. This nefarious activity underscores the critical importance of [β¦]
Recent reports have highlighted that the notorious FIN7 cybercrime group has targeted the U.S. automotive industry through a sophisticated spear-phishing campaign. Employing a familiar weapon, the Carbanak backdoor (also known as Anunak), they aimed to infiltrate systems and compromise sensitive data. This nefarious activity underscores the critical importance of robust cybersecurity measures in safeguarding against [β¦]
Iβm not a robotβ tests are definitely getting harder. But does that mean more complex CAPTCHAs are the right path forward to outsmart advancing AI and adversarial technologies?
Source: www.cybertalk.org β Author: slandau EXECUTIVE SUMMARY: Remember the infamous 2021 SolarWinds supply chain attack? Cyber criminals were able to coordinate the attack because an intern rendered the password βsolarwinds123β publicly accessible via a GitHub repository, in 2018. While this led to an extreme business compromise situation, SolarWinds is not the only organization thatβs ever [β¦]
The blockchain analysis company is using a deep learning model, new AI techniques, and a massive dataset to better detect and track money laundering on a Bitcoin blockchain.
Source: www.darkreading.com β Author: Craig Davies 4 Min Read Source: Cagkan Sayin via Alamy Stock Photo COMMENTARY Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% β to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic. [β¦]
Ransomware attacks are an expensive proposition for any company. For example, a report this week by cybersecurity firm Sophos found that while the percentage of companies that were victims of ransomware this year has dropped slightly, the recovery costs β which donβt include a ransom payment β have jumped to $2.73 million, a 50% increase..
In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths including the ESC1 abuse technique.
In this blog post, we will continue to explore more of the new edges we have introduced with ADCS support in BloodHound. More specifically, we will cover how we have incorporated the Golden Certificate and the ESC3 abuse technique.
I have written this blog post on behalf of the BloodHound Enterprise team at SpecterOps, which has designed and implemented the BloodHound edges described in this blog post. Thanks to everyone on the team who helped out with thisΒ effort!
Hosts and Golden Certificate
The computer hosting a certificate authority (CA) service holds the private key of its CA certificate. The key must be there for the CA to sign and issue certificates. This makes CA hosts a very lucrative target. As Will Schroeder and Lee Chagolla-Christensen described under DPERSIST1 in the ADCS whitepaper Certified Pre-Owned, it is possible to craft βgolden certificatesβ with the private key of the CA certificate, which then allows you to authenticate as anyone just asΒ ESC1.
The AD enterprise CA object holds the DNS name of its CA host in its dNSHostName attribute. This enables us to look up the corresponding AD computer object. To represent the relationship between the AD computer object and the enterprise CA object in BloodHound, we create a non-traversable edge named HostsCAService, going from the Computer node to the EnterpriseCA node.
For an attacker to craft a golden certificate that works for domain authentication, the enterprise CAβs certificate must chain up to a trusted root CA for the domain, and the NTAuth store must include the enterprise CA certificate, just as with ESC1. If these conditions are met, we create a traversable GoldenCert edge from the CA Computer node to theΒ domain:
The GoldenCert edge makes it easy to identify attack paths leading to a domain compromise through a CAΒ host.
Many organizations do not protect enterprise CA hosts as well as they should. It is a common misunderstanding that only root CAs are Tier Zero, and not issuing CAs and intermediate CAs. Both issuing CAs and intermediate CAs are enterprise CAs, and will by default meet the requirements for the GoldenCert edge. We strongly recommend treating all CA hosts as TierΒ Zero.
There are exceptions to the statement in the above meme; for example, hardware protection on the CA host may prevent you from obtaining the CA private key. However, it is still possible to compromise the environment most likely, as an enterprise CA host can publish certificate templates, approve certificate requests the CA has denied, andΒ more.
We will dive further into the edges in the above screenshot in a future blog post about ESC5 andΒ ESC7.
There are even scenarios where an attacker can abuse a compromised CA host not trusted for NT authentication. An attacker may compromise users configured with an explicit certificate mapping of the type X509IssuerSubject, X509IssuerSerialNumber, X509SKI, or X509SHA1PublicKey as Hans-Joachim Knobloch called out and described in this blog post: Kleines Nilpferd trampelt ΓΌber Microsofts PKI-Webdienste. The attacker can also compromise any group set up with Authentication Mechanism Assurance (AMA), as Carl SΓΆrqvist explains in this blog post: Forest Compromise Through AMAΒ Abuse.
ESC3
ESC3 is similar to ESC1 in the sense that you as an attacker enroll a certificate as a targeted principal of your choice, which you then use to perform domain authentication. In ESC3, we abuse the ADCS concept of enrollment agents. Let us dive into the requirements.
Enrollment Agent Templates
An enrollment agent can enroll certificates on behalf of other principals. The most frequent use case for the enrollment agent concept is for an administrator who needs to issue smart cards to employees of the organization. The administrator will obtain an enrollment agent certificate and use that to enroll certificates on behalf of employees who need a smart card. This is a more secure solution than using an ESC1-type certificate template, as the enrollment agent setup enables you to restrict the targeted certificate templates and the targeted principals, as we will explore later in this blogΒ post.
To become an enrollment agent, you need an enrollment agent certificate containing the extended key usage (EKU): Certificate Request Agent (1.3.6.1.4.1.311.20.2.1). Such a certificate allows you to enroll on behalf of other principals in all certificate templates of schema version 1. Additionally, targeted templates of schema version 1 also allow the enroll-on-behalf-of functionality if you present a certificate with the Any Purpose EKU or no EKUs (ESC2 certificate). As explained in the Part 1 blog post, you can view the effective EKUs of certificate templates on the CertTemplate node entity panel in BloodHound:
If the targeted certificate template is of schema version 2 or above, then the targeted template must contain the Certificate Request Agent EKU in its msPKI-RA-Application-Policies attribute to allow enroll-on-behalf-of functionality. You can check this requirement under Issuance Requirements in the Windows built-in Certificate Templates Console (certtmpl.msc):
Alternatively, you can check the Application Policies property in BloodHound:
At last, the enrollment agent certificate needs to chain up to a trusted root CA for the environment of the targeted certificate template.
To make it easy to find enrollment agent certificate templates and find the certificate templates that will accept the enrollment agent certificate, we have implemented a new non-traversable edge named EnrollOnBehalfOf to represent exactly that relationship:
To summarize, we create an EnrollOnBehalfOf edge between an enrollment agent certificate template and a targeted template if the following requirements areΒ met.
If the targeted template is of schema versionΒ 1:
The enrollment agent template has one of the EKUs: - Certificate Request Agent - Any Purpose - Null (NoΒ EKUs)
If the targeted template is of schema version 2 orΒ above:
The enrollment agent template has the Certificate Request AgentΒ EKU
The targeted template contains the Certificate Request Agent EKU in its msPKI-RA-Application-Policies attribute.
Additionally, the enrollment agent certificate must chain up to a trusted root CA for the environment of the targeted certificate template.
Requirements for Enrollment and Domain Authentication
To use (or abuse) an enrollment agent certificate template, you need enrollment rights on the enrollment agent certificate template, the targeted template, and an enterprise CA with the templates published. Note that it does not have to be the same enterprise CA that has both templates published. Both the enterprise CA for the enrollment agent template and the enterprise CA for the targeted template must chain up to a trusted root CA for the domain, and the NTAuth store must include the enterprise CA certificate.
Issuance requirements, manager approval and authorized signatures required, can prevent enrollment on a certificate template. Both the enrollment agent certificate template and the targeted template must have manager approval disabled. The enrollment agent template must also have no authorized signatures required but the targeted template will have this set to one, as it requires the Certificate Request Agent EKU, unless it is of schema version 1 which does not support authorized signatures.
At last, the targeted template must enable domain authentication for the attacker to log in as the targeted principal.
To summarize, we add the following requirements for the ADCSESC3Β edge:
The principal has enrollment rights (potentially through group membership) on: - The enrollment agent template - The targeted template - One or more enterprise CAs where the templates are published
The certificate chain of the enterprise CA with the enrollment agent template published isΒ trusted
The certificate chain of the enterprise CA with the targeted template published isΒ trusted
The enterprise CA of the targeted template is trusted for NT authentication
The enrollment agent template has manager approvalΒ disabled
The targeted template has manager approvalΒ disabled
The enrollment agent template has no authorized signatures required
The targeted template enables domain authentication
The Part 1 blog post covers all of the above requirements inΒ detail.
Subject Name and Subject Alternative Name Requirements
A principal must meet a certificate templateβs Subject Name and Subject Alternative Name (SAN) requirements to enroll in it. The certificate template has these requirements defined on the Subject Name tab of the Certificate Templates Console:
I documented my research of these requirements in the Certificate Template Flags and Certificate Fields section of the ADCS ESC14 blog post. Here are the key takeaways in terms of flags that prevent principals from enrolling:
DNS required (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS or CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS): Only principals with their dNSHostName attribute set can enroll The AD user class does not include the dNSHostName attribute, so users cannot enroll in certificate templates requiring dNSHostName. Computers will get their dNSHostName attribute set when you domain-join a computer, but the attribute is null if you simply create a computer object in AD. Computers have validated write to their dNSHostName attribute meaning they can add a DNS name matching their computerΒ name.
Email required (CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL or CT_FLAG_SUBJECT_REQUIRE_EMAIL): Only principals with their mail attribute set can enroll unless the template is of schema version 1 Users and computers do not have their mail attribute set by default, and they cannot write to the attribute themselves. It is common to see users with the mail attribute set, but rare for computers.
When performing the enroll-on-behalf-of enrollment in a given target certificate template, it is then the target principalβs attribute that goes into the certificate. Therefore, it is the target principal that must meet the target templateβs requirements for DNS and email and not the enrollment agent principal.
You can check what the certificate requires for Subject Name and SAN in the CertTemplate entityΒ panel:
In case you want to know what an entity panel field corresponds to in AD, or what the BloodHound database name is (for the Cypher-ninjas), then you can look up the node documentation at https://support.bloodhoundenterprise.io:
We want to avoid creating false positive BloodHound edges that make you feel like Bad Luck BrianΒ here:
If a user meets all the requirements for an ESC3 abuse, but the enrollment agent certificate template requires DNS, then we can say with certainty that the user cannot execute the abuse. In other scenarios, it depends on your level of control over the principal as an attacker. For example, a template that requires the mail attribute set prevents the abuse for principals without mail, but an attacker with write access to the mail attribute of the principal can easily circumvent that.
To summarize, we add the following ADCSESC3 requirement:
If the attacker principal is a user: - The enrollment agent certificate template does not requireΒ DNS
Enrollment Agent Restrictions
You can configure super granular enrollment agent restrictions per each enterprise CA. You can specify exactly what principals the CA should allow enrolling as enrollment agents in what certificate templates and on behalf of which targeted principals:
This is super powerful from a defensive perspective, but challenging to model with a graph as each rule potentially involves more than two nodes. What we have done, though, is create a non-traversable edge named DelegatedEnrollmentAgent from the enrollment agent principals to the certificate templates specified in the restrictions, if it is an allow-rule.
The CA host stores the enrollment agent restrictions in registry. You can see whether SharpHound collected the enrollment agent restrictions and whether the CA has any in the EnterpriseCA node entityΒ panel:
We add a final requirement for the ADCSESC3Β edge:
If the enterprise CA of the targeted certificate template has enrollment agent restrictions: - The principal has a DelegatedEnrollmentAgent edge to the targeted certificate template (potentially through group membership)
The ADCSESC3Β Edge
For principals that meet all the requirements above and have the permissions required to perform an ESC3 abuse, BloodHound creates a traversable ADCSESC3 edge to the forest root domain, similar to the ADCSESC1 edge. So instead of checking all the requirements manually, you can easily identify attack paths that include the ESC3Β abuse:
As with all other edges, you can click on it to view the related entity panel and learn more about the edge; including how to abuseΒ it:
Clicking on βCompositionβ in the edge entity panel reveals the composition graph with the nodes and edges the ADCSESC3 edge is basedΒ on:
The graph shows you how the principal meets the requirements for the ESC3 abuse. The graph in the above screenshot is a simple example that only contains a single EnterpriseCA node and two CertTemplates. You may encounter graphs with many more nodes if the principal meets the requirement through several certificate templates and enterprise CAs.
The graph may also include a DelegatedEnrollmentAgent edge:
If you see one of these DelegatedEnrollmentAgent edges in the composition graph, check the scope of targeted principals in the enrollment agent restrictions and confirm that there is no deny rule overruling the permission.
No ESC2 in BloodHound?
ESC2 is where you enroll a certificate with the Any Purpose EKU or no EKUs (a.k.a., sub-CA certificate). The Any Purpose EKU means you can use the certificate for any purpose, but it does not enable impersonation on its own. A sub-CA certificate enables you to create certificates of any kind including certificates as other principals. However, you cannot perform domain authentication using these certificates, as the NTAuth store does not include the sub-CA certificate automatically. That leaves us with no end node we can draw a potential ADCSESC2 edgeΒ to.
ESC2 certificates are still powerful, though, and may enable an attacker to perform an attack outside of the scope of BloodHound. You can use this pre-built Cypher query to find principals with enrollment rights on ESC2 certificate templates:
We have also added a handful of other ADCS queries that you might find useful. Check them out, and feel free to submit a pull request if you feel like something isΒ missing.
What isΒ Next
We have now covered ESC1, Golden Certificate, and ESC3 with this blog post series. Stay tuned for future posts, as we will dive further into more advanced ADCS escalations and how you can identify them using BloodHound.
Zero-day threats continue to wreak havoc on organizations worldwide, with recent attacks targeting corporate and government networks. In the last few weeks, government-sponsored threat actors have targeted Palo Alto Networks and Cisco ASA (Adaptive Security Appliance).
Venafi today launched an initiative to help organizations prepare to implement and manage certificates based on the Transport Layer Security (TLS) protocol.
Data breaches are like uninvited guests at a party β they show up unexpectedly, take what they want, and leave a big mess behind. This April, the party crashers were particularly busy, leaving a trail of exposed information in their [β¦]
Nice Cup of IoTea? The UKβs Product Security and TeleΒcommΒuniΒcations InfraΒstrucΒture Act aims to improve the security of net-connected consumer gear.
Source: securityboulevard.com β Author: Nathan Eddy Global ransomware attacks rose slightly in March compared to the previous month, as ransomware cabal RAGroup ramped up activity by more than 300%. However, overall activity declined 8% year-over-year, according to NCC Groupβs latest ransomware report. The cyber gang LockBit 3.0 kept its pole position as the most active [β¦]
Source: securityboulevard.com β Author: Nik Hewitt How can security teams be ready for holiday cyberattacks and a seasonal peak in cybercrime? Holiday cyberattacks are on the rise. The vacation season, be it Christmas, Hanukkah, Easter, St. Patrickβs Day, the summer break, or Diwali, is ideally synonymous with rest and relaxation. The odd barbecue, visiting relatives, [β¦]
Global ransomware attacks rose slightly in March compared to the previous month, as ransomware cabal RAGroup ramped up activity by more than 300%. However, overall activity declined 8% year-over-year, according to NCC Groupβs latest ransomware report. The cyber gang LockBit 3.0 kept its pole position as the most active cybercriminal force for eight months in..
OMBβs memo M-24-10 (5c. Minimum Practices for Safety-Impacting and Rights-Impacting Artificial Intelligence) is prescriptive (and timebound): No later than December 1, 2024 and on an ongoing basis while using new or existing covered safety-impacting or rights-impacting AI, agencies must ensure these practices are followed for the AI: D. Conduct ongoing monitoring. In addition to pre-deployment [β¦]
In the realm of artificial intelligence, particularly in large language models (LLM) like GPT-3, the technique known as βjailbreakingβ has begun to gain attention. Traditionally associated with modifying electronic devices to remove manufacturer-imposed restrictions, this term has been adapted to describe methods that seek to evade or modify the ethical and operational restrictions programmed into β¦
In episode 327 Tom, Scott, and Kevin discuss the findings from Mandiantβs M-Trends 2024 report, highlighting a significant rise in traditional vulnerability exploitation by attackers while observing a decline in phishing. Despite phishingβs decreased prevalence, it remains the second most popular method for gaining initial network access. Discussions include the impact of high-profile vulnerabilities and [β¦]
With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said.
Google-owned Mandiant in a detailed report stated with βhigh confidenceβ that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest.
βMultiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,β Mandiant said.
Why Russia is the Biggest Cyber Threat to Election Security
Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord.
State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives.
The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process.
Jamie Collier, Mandiant senior threat intelligence advisor said, βOne group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.β
Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters.
Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.
Beijingβs Interest in Information Operations
Collier noted that state threats to elections are far more than just a Russia problem.
βFor instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,β Collier said.
China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiantβs analysis found.
In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.
Watch-Out for Iranβs Espionage and Influence Campaigns
Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.
β[Iransβs] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,β Mandiant said.
During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign.
Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.
Diverse Targets Multiple Vectors
Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections.
[caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption]
Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season:
[caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption]
The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes.
However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide.
In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure.
Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber ExpressΒ assumes no liability for the accuracy or consequences of using this information.
What is a cybersecurity vulnerability, how do they happen, and what can organizations do to avoid falling victim? Among the many cybersecurity pitfalls, snares, snags, and hazards, cybersecurity vulnerabilities and the likes of zero-day attacks are perhaps the most insidious. Our lives are unavoidably woven into the fabric of digital networks, and cybersecurity has become...
Reading Time: 5min SPF can be configured to trigger a Hardfail or Softfail error when sender authentication fails. Learn SPF Softfail vs Hardfail difference and best practices.
Healthcare ransomware incidents are far too common, but none have wreaked as much havoc as the recent Change Healthcare attack. Rick Pollack, President and CEO of the American Hospital Association stated that βthe Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.β And congress...
North American software developers have reasonable confidence that generative AI can be a tool to improve the security of the software they're building. In other regions? Not so much.
A threat group thatβs been around since last year and was first identified earlier this month is using three high-profile information stealers in a wide-ranging campaign to harvest credentials, financial information, and cryptocurrency wallets from targets around the world who were downloading the malware that masqueraded as movie files. Researchers with Ciscoβs Talos threat intelligence..
Login
