{"id":5674,"date":"2020-11-03T10:24:06","date_gmt":"2020-11-03T18:24:06","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5674"},"modified":"2024-04-26T13:21:08","modified_gmt":"2024-04-26T20:21:08","slug":"iranian-apt-exploits-election-websites","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/","title":{"rendered":"Iranian APT Exploits Election Websites"},"content":{"rendered":"<p>Author: Christopher Kim<\/p>\n<p>TLP:WHITE<\/p>\n<p>&nbsp;<\/p>\n<h3>1. Executive Summary<\/h3>\n<p>On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.<sup>1<\/sup><\/p>\n<p>From 20 to 28 September, the APT used a tool named Acunetix to scan state election websites for known web vulnerabilities. The actors used these vulnerabilities to exploit websites and steal voter registration data between 29 September and 17 October. CISA and the FBI confirm that the actors successfully obtained voter registration data in at least one state.<\/p>\n<h3>2. Analysis<\/h3>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.1.\u00a0 Reconnaissance<\/h4>\n<p>According to the advisory, the Iranian APT searched state voter websites for publicly available PDF documents by querying URLs with the words: <em>vote<\/em>, <em>voter<\/em>, or <em>registration<\/em>. The FBI also found information indicating that the actors researched the following topics to extend their capabilities for vulnerability identification and exploitation:<\/p>\n<ul>\n<li>YOURLS exploit<\/li>\n<li>Bypassing ModSecurity Web Application Firewall<\/li>\n<li>Detecting Web Application Firewalls<\/li>\n<li>SQLmap tool<\/li>\n<\/ul>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.\u00a0 Web Vulnerability Scanning<\/h4>\n<p>Between 20 and 28 September, the APT actors attempted SQL injections across multiple state election websites by using the web vulnerability scanner Acunetix. This is a legitimate scanner often used by security engineers for security and compliance auditing. The actors used this tool to insert data into various fields in the <em>\/registration\/registration\/details<\/em> resource path on the web server. CISA analysts discovered 3 different web browser user agents associated with the scanning and observed the following requests:<\/p>\n<table width=\"630\">\n<tbody>\n<tr>\n<td width=\"630\"><em>2020-09-26 13:12:56 x.x.x.x GET \/x\/x v[$acunetix]=1 443 &#8211; x.x.x.x Mozilla\/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit\/537.21+(KHTML,+like+Gecko)+Chrome\/41.0.2228.0+Safari\/537.21 &#8211; 200 0 0 0<\/em><\/p>\n<p><em>2020-09-26 13:13:19 X.X.x.x GET \/x\/x voterid[$acunetix]=1 443 &#8211; x.x.x.x Mozilla\/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit\/537.21+(KHTML,+like+Gecko)+Chrome\/41.0.2228.0+Safari\/537.21 &#8211; 200 0 0 1375<\/em><\/p>\n<p><em>2020-09-26 13:13:18 .X.x.x GET \/x\/x voterid=;print(md5(acunetix_wvs_security_test)); 443 &#8211; X.X.x.x<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><\/h2>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.3.\u00a0 Data Exfiltration<\/h4>\n<p>Between 29 September and 17 October, the APT sent several hundred thousand HTTP GET queries to web resources that hold voter registration data. The threat actor used the cURL command-line tool and free download manager (FDM) user agents to send the requests, as well as modified the request parameters by iterating through voter identification values as shown below.<\/p>\n<table width=\"630\">\n<tbody>\n<tr>\n<td width=\"630\"><em>2020-10-17 13:07:51 x.x.x.x GET \/x\/x voterid=XXXX1 443 &#8211; x.x.x.x curl\/7.55.1 &#8211; 200 0 0 1406<\/em><\/p>\n<p><em>2020-10-17 13:07:55 x.x.x.x GET \/x\/x voterid=XXXX2 443 &#8211; x.x.x.x curl\/7.55.1 &#8211; 200 0 0 1390<\/em><\/p>\n<p><em>2020-10-17 13:07:58 x.x.x.x GET \/x\/x voterid=XXXX3 443 &#8211; x.x.x.x curl\/7.55.1 &#8211; 200 0 0 1625<\/em><\/p>\n<p><em>2020-10-17 13:08:00 x.x.x.x GET \/x\/x voterid=XXXX4 443 &#8211; x.x.x.x curl\/7.55.1 &#8211; 200 0 0 1390<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><\/h3>\n<h3>3.\u00a0 Prevention and Mitigation<\/h3>\n<p>CISA and the FBI recommend the following actions for detecting, preventing and mitigating similar malicious activities described in this report.<\/p>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3.1.\u00a0 Detecting Acunetix<\/h4>\n<p>Organizations that rarely use the Acunetix tool should monitor logs for any indication of the program\u2019s activity. The following keywords can help organizations identify Acunetix during log analysis:<\/p>\n<ul>\n<li>$acunetix<\/li>\n<li>acunetix_wvs_security_test<\/li>\n<\/ul>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3.2.\u00a0 Other Recommendations<\/h4>\n<ul>\n<li>Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by protecting against security flaws in web applications. The types of attacks this could help prevent include SQL injection, cross site scripting (XSS), and command injection.<\/li>\n<li>Audit the organization\u2019s network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.<\/li>\n<li>Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.<\/li>\n<li>Enable strong password requirements and account lockout policies to defend against brute-force attacks.<\/li>\n<li>Apply multi-factor authentication when possible.<\/li>\n<li>Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.<\/li>\n<li>Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.<\/li>\n<li>When creating cloud-based virtual machines, adhere to the cloud provider&#8217;s best practices for remote access.<\/li>\n<li>Ensure third parties that require RDP access follow internal remote access policies.<\/li>\n<li>Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.<\/li>\n<li>Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPN. However, recognize the security of the VPNs match the security of the connected devices.<\/li>\n<li>Use security features provided by social media platforms; use <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2018\/03\/27\/Creating-and-Managing-Strong-Passwords\">strong passwords<\/a>, change passwords frequently, and use a different password for each social media account.<\/li>\n<li>See CISA\u2019s Tip on <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/tips\/ST19-002\">Best Practices for Securing Election Systems<\/a> for more information.<\/li>\n<\/ul>\n<h3>4. Indicators of Compromise<\/h3>\n<p><strong>Disclaimer:<\/strong> <em>Many of the following IPs used in the scanning and exploit activity are part of publicly available VPN services. Users should thoroughly investigate the following IPs for false positives before adding them to a security service\u2019s block list since they are also available to legitimate paying users. <\/em><\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td width=\"452\">\n<p style=\"text-align: center;\"><strong>Indicator<\/strong><\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"220\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"452\">\n<p style=\"text-align: center;\">102[.]129[.]239[.]185<\/p>\n<p style=\"text-align: center;\">143[.]244[.]38[.]60<\/p>\n<p style=\"text-align: center;\">45[.]139[.]49[.]228<\/p>\n<p style=\"text-align: center;\">156[.]146[.]54[.]90<\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"220\">Acunetix scanner IPs<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">\n<p style=\"text-align: center;\">109[.]202[.]111[.]236<\/p>\n<p style=\"text-align: center;\">185[.]77[.]248[.]17<\/p>\n<p style=\"text-align: center;\">217[.]138[.]211[.]249<\/p>\n<p style=\"text-align: center;\">217[.]146[.]82[.]207<\/p>\n<p style=\"text-align: center;\">37[.]235[.]103[.]85<\/p>\n<p style=\"text-align: center;\">37[.]235[.]98[.]64<\/p>\n<p style=\"text-align: center;\">70[.]32[.]5[.]96<\/p>\n<p style=\"text-align: center;\">70[.]32[.]6[.]20<\/p>\n<p style=\"text-align: center;\">70[.]32[.]6[.]8<\/p>\n<p style=\"text-align: center;\">70[.]32[.]6[.]97<\/p>\n<p style=\"text-align: center;\">70[.]32[.]6[.]98<\/p>\n<p style=\"text-align: center;\">92[.]223[.]89[.]73<\/p>\n<\/td>\n<td width=\"220\">\n<p style=\"text-align: center;\">cURL requests<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"452\">77[.]243[.]191[.]21<\/td>\n<td width=\"220\">\n<p style=\"text-align: center;\">IP used to retrieve voter registration via cURL and FDM<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"452\">195[.]181[.]170[.]244<\/p>\n<p>102[.]129[.]239[.]185<\/p>\n<p>104[.]206[.]13[.]27<\/p>\n<p>154[.]16[.]93[.]125<\/p>\n<p>185[.]191[.]207[.]169<\/p>\n<p>185[.]191[.]207[.]52<\/p>\n<p>194[.]127[.]172[.]98<\/p>\n<p>194[.]35[.]233[.]83<\/p>\n<p>198[.]147[.]23[.]147<\/p>\n<p>198[.]16[.]66[.]139<\/p>\n<p>212[.]102[.]45[.]3<\/p>\n<p>212[.]102[.]45[.]58<\/p>\n<p>31[.]168[.]98[.]73<\/p>\n<p>37[.]120[.]204[.]156<\/p>\n<p>5[.]160[.]253[.]50<\/p>\n<p>5[.]253[.]204[.]74<\/p>\n<p>64[.]44[.]81[.]68<\/p>\n<p>84[.]17[.]45[.]218<\/p>\n<p>89[.]187[.]182[.]106<\/p>\n<p>89[.]187[.]182[.]111<\/p>\n<p>89[.]34[.]98[.]114<\/p>\n<p>89[.]44[.]201[.]211<\/td>\n<td width=\"220\">\n<p style=\"text-align: center;\">IPs used to spread voter intimidation emails<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<h4>Endnotes<\/h4>\n<ol>\n<li>https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-304a<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim TLP:WHITE &nbsp; 1. Executive Summary On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.1 From [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":3106,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[339,334,343,308,350],"class_list":{"0":"post-5674","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-apt","9":"tag-cisa","10":"tag-election-security","11":"tag-fbi","12":"tag-iranian-hacking","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Iranian APT Exploits Election Websites<\/title>\n<meta name=\"description\" content=\"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Iranian APT Exploits Election Websites\" \/>\n<meta property=\"og:description\" content=\"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-03T18:24:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:21:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Iranian APT Exploits Election Websites\",\"datePublished\":\"2020-11-03T18:24:06+00:00\",\"dateModified\":\"2024-04-26T20:21:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/\"},\"wordCount\":942,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keyboard-blurred.jpg\",\"keywords\":[\"apt\",\"CISA\",\"election security\",\"FBI\",\"Iranian hacking\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/\",\"name\":\"Iranian APT Exploits Election Websites\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keyboard-blurred.jpg\",\"datePublished\":\"2020-11-03T18:24:06+00:00\",\"dateModified\":\"2024-04-26T20:21:08+00:00\",\"description\":\"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keyboard-blurred.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keyboard-blurred.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/iranian-apt-exploits-election-websites\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Iranian APT Exploits Election Websites\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Iranian APT Exploits Election Websites","description":"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/","og_locale":"en_US","og_type":"article","og_title":"Iranian APT Exploits Election Websites","og_description":"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/","og_site_name":"Infoblox Blog","article_published_time":"2020-11-03T18:24:06+00:00","article_modified_time":"2024-04-26T20:21:08+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Iranian APT Exploits Election Websites","datePublished":"2020-11-03T18:24:06+00:00","dateModified":"2024-04-26T20:21:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/"},"wordCount":942,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg","keywords":["apt","CISA","election security","FBI","Iranian hacking"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/","name":"Iranian APT Exploits Election Websites","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg","datePublished":"2020-11-03T18:24:06+00:00","dateModified":"2024-04-26T20:21:08+00:00","description":"On 30 October, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on Iranian advanced persistent threat actors (APTs) responsible for targeting U.S. state election websites and spreading disinformation about the 2020 U.S. presidential election via email.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keyboard-blurred.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/iranian-apt-exploits-election-websites\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Iranian APT Exploits Election Websites"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5674"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5674\/revisions"}],"predecessor-version":[{"id":5677,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5674\/revisions\/5677"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/3106"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}