The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory on an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, to obtain voter registration data. Joint Cybersecurity Advisory AA20-304A: Iranian APT Actor Identified Obtaining Voter Registration Data provides indicators of compromise and recommended mitigations for affected entities.
Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner. Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020. This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. CISA and the FBI can confirm that the actor successfully obtained voter registration data for at least one state.
CISA and the FBI advise organizations that do not regularly use Acunetix to monitor their logs for any related activity that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior.