#NSBCS.046 - Phishing for Votes: Why Election Security is Everyone’s Business
Source: NSB Cyber
Phishing for Votes: Why Election Security is Everyone’s Business
With the U.S. heading into another presidential election, their struggles with election security are worth paying attention to, even from here in Australia. Reports of Iranian spearphishing attacks targeting political groups in the U.S. highlight how foreign actors are working to compromise accounts and stir up trouble in the lead-up to the election. While this might seem like an American problem, it’s a reminder for all democracies - including ours - about the importance of safeguarding elections from cyber threats.
These phishing attacks are getting more sophisticated, using fake emails and social engineering to trick even well-informed people like politicians and journalists. Some tactics even use AI to make these scams harder to spot. The takeaway for Australians? If it can happen in the U.S., it can happen here. We need to stay sharp about cybersecurity and not assume we're immune just because we’re down under.
Here are some detailed tips to protect yourself against spearphishing attacks:
Use phishing-resistant multi-factor authentication (MFA): Traditional SMS codes are increasingly vulnerable to phishing. Instead, opt for stronger MFA methods, such as hardware security keys or authentication apps. These provide an extra layer of security by requiring something physical or unique to you beyond a password.
Be cautious with unexpected emails or messages: Always verify unexpected communication, even if it appears to be from a known contact. Scammers often impersonate people you trust. Don’t click on links or download attachments unless you’ve confirmed with the sender directly through a separate channel.
Watch out for unusual requests for information: Spearphishing attackers often pose as journalists, event coordinators, or colleagues, asking for sensitive data or scheduling interviews. Before sharing any details, verify the legitimacy of the request by contacting the person or organisation directly through another medium.
Regularly update your passwords and software: Weak or reused passwords are an open invitation to hackers. Use a password manager to create and store unique passwords for each account, and regularly update your software to patch vulnerabilities that hackers might exploit.
Check the email sender’s address carefully: Even a familiar-looking email might be fraudulent. Look for slight alterations in the sender’s address or domain name, such as extra characters or misspellings, which can be signs of spoofing.
As we watch the U.S. election unfold, it's a reminder that the strength of any democracy depends not just on its laws and institutions, but on the vigilance of its people. By learning from their challenges and taking proactive steps to defend against cyber threats, we can help ensure that our own democratic systems remain secure, fair, and resilient. After all, the protection of democracy is a shared responsibility - whether you’re voting in Canberra or Washington.
For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.
What we read this week
New Mamba 2FA Bypass Service Targets Microsoft 365 Accounts - The recently discovered Mamba 2FA bypass service targets Microsoft 365 accounts and offers cybercriminals the ability to bypass multi-factor authentication (MFA). It exploits the adversary-in-the-middle (AitM) technique, intercepting the victim's login process and stealing their session cookies. This allows attackers to gain unauthorised access to accounts even if MFA is enabled, posing a significant security risk. The service, priced at $250 per month, provides an easy-to-use platform for threat actors to launch these attacks with minimal technical expertise. Security experts recommend using hardware-based authentication methods and other security layers to mitigate the risks posed by such services.
Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited - Ivanti has issued a warning that three newly identified security vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) affecting its Cloud Service Appliance (CSA) are currently being actively exploited. These zero-day vulnerabilities are being used alongside another flaw in CSA that was patched by the company last month. If exploited successfully, these vulnerabilities could enable an attacker with administrative privileges to bypass security restrictions, execute arbitrary SQL commands, or achieve remote code execution. In addition to upgrading to the latest version (5.0.2), Ivanti advises users to inspect their appliance for any changes or additions to administrative accounts as a way to identify potential compromises. The company also suggests checking for alerts from endpoint detection and response (EDR) tools installed on the device for further signs of malicious activity.
Fake Trading Apps Target Victims Globally via Apple App Store and Google Play - Group-IB has uncovered a large-scale fraud operation that used fake trading apps available on the Apple App Store and Google Play Store, along with phishing websites, to scam victims. This operation is part of a broader consumer investment fraud tactic known as pig butchering, where victims are enticed into investing in cryptocurrency or other financial products after being deceived through a fake romantic relationship or a supposed investment advisor. These manipulative social engineering tactics often result in victims losing their money, and in some instances, the scammers extract even more funds by demanding additional fees and payments.
Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers - Aqua Security researchers have identified a new malware family targeting Linux systems, named Perfctl, which aims to gain persistent access and hijack resources for cryptocurrency mining. Active for over three years, Perfctl exploits more than 20,000 known vulnerabilities and misconfigurations. The malware is designed for stealth and persistence, using a rootkit to conceal itself, running as a background service only when the system is idle, and employing a Unix socket and Tor for communication. It also establishes a backdoor, attempts to escalate privileges, and can deploy additional tools for system reconnaissance, proxy-jacking, and cryptocurrency mining. The attack process begins by exploiting a vulnerability or misconfiguration, downloading the payload from a remote HTTP server, copying itself to the temporary directory, terminating the original process, deleting the initial binary, and then running from the new location.
Healthcare's Grim Cyber Prognosis Requires Security Booster - A report from cybersecurity firm Sophos reveals that two-thirds of healthcare organisations experienced ransomware attacks in the past year, a rise from 60% the previous year, amidst broader challenges like private equity collapses, medicine shortages, and service cuts. The healthcare sector continues to remain a prime target for ransomware groups due to three factors: the critical nature of its services, outdated technology with numerous vulnerabilities, and the industry's willingness to pay ransoms. The cybersecurity issues affecting healthcare extend beyond business operations, directly impacting patients and national healthcare initiatives. For instance, attackers used stolen credentials to breach Change Healthcare, a subsidiary of UnitedHealth in the United States, deploying ransomware in February 2024. This incident delayed payments to doctors, pharmacies, and hospitals and ultimately resulted in a $22 million ransom payment.
References
https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/
https://thehackernews.com/2024/10/zero-day-alert-three-critical-ivanti.html
https://thehackernews.com/2024/10/fake-trading-apps-target-victims.html
https://www.securityweek.com/stealthy-perfctl-malware-infects-thousands-of-linux-servers/
https://www.darkreading.com/threat-intelligence/healthcare-cyber-prognosis-security-booster