Forensic evidence shows signs that a Georgia election server may have been hacked ahead of the 2016 and 2018 elections by someone who exploited Shellshock, a critical flaw that gives attackers full control over vulnerable systems, a computer security expert said in a court filing on Thursday.
Shellshock came to light in September 2014 and was immediately identified as one of the most severe vulnerabilities to be disclosed in years. The reasons: it (a) was easy to exploit, (b) gave attackers the ability to remotely run commands and code of their choice, and (c) opened most Linux and Unix systems to attack. As a result, the flaw received widespread news coverage for months.
Patching on the sly
Despite the severity of the vulnerability, it remained unpatched for three months on a server operated by the Center for Election Systems at Kennesaw State University, the group that was responsible for programming Georgia election machines. The flaw wasn't fixed until December 2, 2014, when an account with the username shellshock patched the critical vulnerability, the experts analysis of a forensic image shows. The shellshock account had been created only 19 minutes earlier. Before patching the vulnerability, the shellshock user deleted a file titled shellsh0ck. A little more than a half hour after patching, the shellshock user was disabled.
A timeline provided by the expert shows the following:
12/2/2014 10:45 – the user mpearso9 is modified using the Webmin console
12/2/2014 10:47 – shellshock user created using Webmin console
12/2/2014 10:49 – /home/shellshock/.bash_history last modified
12/2/2014 11:02 – /home/shellshock/shellsh0ck file is deleted
12/2/2014 11:06 – bash patched to version 4.2+dfsg-0.1+deb7u3 to prevent shellshock
12/2/2014 11:40 – shellshock user disabled using Webmin console
There was more: The shellshock accounts bash_history—a file that typically records all commands executed by the user—contained a single command: to log out of the server. The expert said that absence of commands showing the creation and later deletion of a file in the users directory was “suspicious” and led him to believe that the bash history was modified in an attempt to hide the users activity. The expert also noted that the patching of vulnerabilities is a common practice among hackers after breaking into a system. It prevents other would-be intruders from exploiting the same bugs.
Taken together, the evidence indicates that someone may have used Shellshock to hack the server, the computer expert said.
“The long unpatched software, unusual username, potentially modified command history, and near immediate patching of the shellshock bug are all strong pieces of evidence that an outside attacker gained access to the KSU server by exploiting the shellshock bug,” wrote Logan Lamb, who is an expert witness for plaintiffs in a lawsuit seeking an end to Georgias use of paperless voting machines. Lamb said more forensic analysis was required to confirm the attack and determine what the user did on the server.
Drupalgeddon and more
The affidavit comes 31 months after, as Politico first reported, Lamb discovered that the elections server at Kennesaw State University was unpatched against another high-severity flaw, this one in the Drupal content management system. The risk posed by the vulnerability was so great that researchers quickly gave it the nickname “Drupageddon”. Lambs discovery of the unpatched server happened in August 2016, 22 months after the flaw came to light and a Drupal update became available.
After reading the Politico report, a group of election-integrity activists sued Georgia officials and eventually sought a copy of the server in an attempt to see if it had been compromised through the Drupalgeddon vulnerability. The plaintiffs would later learn that Kennesaw officials had wiped the server clean two days after the complaint was filed.
The plaintiffs finally obtained a mirror image taken in March 2017 by the FBI. The bureau had been called in to determine if Lamb and another researcher had violated any laws. (The investigation later determined they had not.) State officials opposed the plaintiffs motion for a copy of the mirror image but eventually lost.
Evidence that the server may have been hacked through the Shellshock vulnerability wasnt the only concerning thing Lamb said he found. He also found “scores of files” that had been deleted on March 2, 2017, shortly before the server was taken offline and handed over to the FBI. Lamb still doesnt know what the deleted files contained, but based on the filenames, he believes theyre related to elections.
The miRead More – Source