The FBI received information of an additional IP address, 18.104.22.168, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 22.214.171.124 used in the aforementioned compromise.
The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation.
In late June 2016, an unknown actor scanned a state’s Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
Indicators associated with the Board of Elections intrusion:
- The use of Acunetix tool was confirmed when “GET /acunetix-wvs-test-for-some-inexistent-file – 443” and several requests with “wvstest=” appeared in the logs;
- The user agent for Acunetix was identified in the logs –”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21++(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21″;
- The use of SQLMap was confirmed after “GET /status.aspx DLIDNumber=1′;DROP TABLE sqlmapoutput” appeared in the logs;
- The user agent for SQLMap is “Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.7;+en-US;+rv:126.96.36.199)+ Gecko/20100316+Firefox/3.6.2 200 0 0 421” (These are easily spoofed and not inclusive of all SQLMap activity);
- The user agent for the DirBuster program is “DirBuster-1.0- RC1+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project> )”;
- 188.8.131.52 (new, per FBI)
The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected. Attempts should not be made to touch or ping the IP addresses directly.