Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 incorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-hm57-h27x-599c: Mattermost incorrectly issues two sessions when using desktop SSO

There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

With the holidays around the bend, many are looking for gifts for their family and friends. And since we somehow decided we want to give more each time, we’re also looking for good deals.

But European law enforcement agency Europol issued a warning about buying fake goods. Sure, they are cheaper, but they do come with a dark side.

According to Europol’s report titled “Uncovering the ecosystem of intellectual property crime, ”approximately 86 million fake items were seized in the European Union (EU) in 2022 alone, with an estimated total value exceeding EUR 2 billion (US$ 2.1 billion).

Not only does this ecosystem provide buyers with substandard goods, it also enables crimes like intellectual property (IP) crime, cybercrime, money laundering, and environmental crime.

Intellectual property is what drives innovation. Criminals don’t come up with new inventions, they just create cheap copies of popular items without regards for safety of the product, working conditions, or environmental regulations. The only thing counterfeiters are innovating are ways to exploit consumer demand for counterfeit and pirated goods.

The report states:

> “The rise of social media, influencers and online commerce have changed consumers’ behavior, increasing their appetite for IP infringing goods or content, while having a low awareness of risks.”

Criminals fully abuse the social media platform algorithms that reach potential buyers using customized ads that speak to their personal interests and preferences. These are often removed after automated reviews.

So, there is another critical role in advertising counterfeit goods, which are influencers. Through their channels, influencers may direct customers to product listings on online stores that evade security protocols about counterfeit adverts.

By buying counterfeit goods you are also unwittingly enabling cybercriminals that are engaged in fraud, corruption, labor exploitation, environmental crime, money laundering, and cybercrime.

On the other hand, the risks of getting caught and the relatively low penalties make IP crime a low-risk, high-benefit criminal activity.

Consumers, however, are not always aware of the fact they are buying counterfeit goods. As sophisticated technologies are used to replicate holograms, logos, and packaging, unaware consumers are more likely than ever to be deceived, and recognizing counterfeit items has become a task that requires specific knowledge and an expert eye.

**How to avoid counterfeit goods**

Nonetheless, there are a few pointers to be given on how to avoid buying counterfeit goods.

*   Where possible, buy from the brand’s own store. When that’s not an option look for authorized retailers. Many brands publish lists of authorized sellers on their websites. And some of the larger webstores use “Authenticity Guarantee” badges on their listings.
*   When it comes to pricing, follow the old saying: “If it’s too good to be true, it probably is.”
*   A legitimate webstore should have contact information, look professional, and specify consumer rights.
*   Review advertisements on social media, influencer channels, and chat platforms with a little bit of extra caution.
*   Look for consumer reviews. Interestingly, it could be a red flag if the reviews of the product and company are universally bad—or if there are no bad reviews at all.

If you’re not completely sure about the product or the website, at least make sure to use a secured payment page and preferably use your credit card, in case you need to recover your money.

If you have bought a counterfeit product:

*   Stop and think before you use it, to consider whether it is safe to use. The materials used for production are likely to be sub-standard and could pose a risk to your health.
*   Report it to the platform where you made the purchase and to the legitimate brand.
*   Report it to the proper authorities.

Use Malwarebytes Browser Guard to block advertisements, scams, and trackers. It’s a free browser extension for Chrome, Firefox, Edge, and Safari.

 Europol warns about counterfeit goods and the criminals behind them 

GHSA-rc7v-65v6-m2v3: go-mysql affected by go.uuid's Predictable UUID Identifiers

The ABB BMS/BAS controller is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

ABB Cylon Aspect 3.08.01 (auth/) Active Debug Code Vulnerability

### Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

### Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

### Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

### References

* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org


GHSA-2rxp-v6pw-ch6m: REXML ReDoS vulnerability

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated building/project name exposure vulnerability.

**ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure**

    ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name ExposureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The building management system suffers from an unauthenticated building/projectname exposure.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5850Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5850.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl http://192.168.73.31/getApplicationNamesJS.phpvar instanceDirectory=["1":"OOU KrstePMisirkov_Kumanovo"];

ABB Cylon Aspect 3.08.01 getApplicationNamesJS.php Building/Project Name Exposure

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.39 security update  
Advisory ID:        RHSA-2024:8235-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8235  
Issue date:         2024-10-28  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.39. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8238

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-25727  
https://issues.redhat.com/browse/OCPBUGS-32266  
https://issues.redhat.com/browse/OCPBUGS-37353  
https://issues.redhat.com/browse/OCPBUGS-37552  
https://issues.redhat.com/browse/OCPBUGS-39019  
https://issues.redhat.com/browse/OCPBUGS-41246  
https://issues.redhat.com/browse/OCPBUGS-41836  
https://issues.redhat.com/browse/OCPBUGS-41918  
https://issues.redhat.com/browse/OCPBUGS-42517  
https://issues.redhat.com/browse/OCPBUGS-42518  
https://issues.redhat.com/browse/OCPBUGS-42533  
https://issues.redhat.com/browse/OCPBUGS-42567  
https://issues.redhat.com/browse/OCPBUGS-42603  
https://issues.redhat.com/browse/OCPBUGS-42757  
https://issues.redhat.com/browse/OCPBUGS-42828  
https://issues.redhat.com/browse/OCPBUGS-42986

Red Hat Security Advisory 2024-8235-03

Relying on EOL software leaves critical systems exposed — making it a problem no business can afford to ignore.

Jason Meller, Vice President of Product, 1Password

October 28, 2024

5 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

When you've bought a haunted house, the worst thing you can do is decide to just live with it. Yet in every horror movie, there's always that one person — usually the father — who doesn't want to leave. Plates are flying off the shelves, blood is erupting from the sink, and Dad is ignoring all of it while pruning the ficus in the living room. 

Dad doesn't last long in those movies, and it's because he's ignoring one universal truth: Denying that a threat is real won't protect you from it. 

You'd think security-minded organizations would have learned that lesson by now. Unfortunately, many are just like Dad, resigned to an IT infrastructure that's lousy with ghosts. 

Here's one ghost we can vanquish right now: obsolete software. End-of-life (EOL) software is surprisingly common; nearly two-thirds of companies still rely on applications that no longer receive security updates from their vendors. This leaves critical systems exposed, making it a problem no business can afford to ignore. 

**The Terrors of EOL**

So, if EOL software is so scary, why is it so pervasive? Before we start berating companies — like a horror movie audience yelling at the characters onscreen to make better choices — let's try and understand what makes obsolete software so challenging to manage.  

**Cost**

Budget is undoubtedly the biggest reason companies use unsupported legacy applications. Sometimes, this is understandable — for instance, plenty of healthcare providers simply can't afford to replace their very expensive and specialized legacy tools. 

But let's be honest: A lot of companies just don't want to pony up the cash needed to maintain their tech stack properly. Updating or replacing software can be costly and disruptive. Who wants to take on that challenge, especially when the danger of inaction seems hypothetical?  

But this logic is (fatally) flawed. Any money you save by clinging to EOL software will be swallowed by the inevitable cost of a data breach. And that cost is likely to be higher if you're running outdated software, with no support to get your compromised systems back online.  

**Shadow IT**

EOL software has such a long afterlife that admins frequently aren't aware of it.  

Occasionally, vendors fail to adequately communicate when software is no longer supported ("Why … that program's been dead for over 40 years."). And sometimes, EOL software takes the form of shadow IT.  

Our 2023 study showed that 47% of companies allow employees to access resources from unmanaged devices. That means any individual user could have EOL (or simply unpatched) software on their device, and admins would have no way of knowing.  

**Put EOL Software to Rest**

Hopefully, by now, you're convinced that EOL software is a problem and you're sharpening stakes and smelting silver bullets.  

But while it's straightforward enough to update the legacy systems you know about, what are you supposed to do about all the EOL software you don't know about? How do you fight what you can't see? 

**Monitor EOL Status**

Start with a complete audit of all the work-related software in your organization. That includes not just the company-wide, big-ticket items but every end user's device (even BYOD). If you find a user still running, say, Big Sur, stop them from accessing company resources until they update to a supported version.  

Manually, keeping up with EOL dates is a tall order. But there are tools, like this API from endoflife.date, that can alert you when software becomes obsolete. A purpose-built agent like osquery can help discover the presence of installed EOL software across your fleet. 

From there, you need to establish ownership of EOL remediation so it's not just a game of whack-a-mole for the security team. Instead, make it a part of your existing patch management and compliance strategy and check in regularly. 

**Banish EOL Software From Your Systems**

Anyone dreading the approach of Windows 10 EOL in 2025 knows that these transitions require a lot of care and planning, and you can expect resistance from leadership and end users alike.  

The only way to overcome the fears around EOL software is to face them through clear communication. That starts by getting leadership buy-in and extends to communicating with end users when you find EOL shadow IT. Once you've set a policy, use a device trust solution to block devices running EOL software. But use blocking as a chance to explain the dangers of this software. Then, instruct users on how to fix the problem themselves. 

Everyone knows that in horror movies "Let's split up, gang!" is a recipe for disaster. When you're fighting to clear up a companywide problem, you need collaboration at a companywide level. So when you start diving into the scary world of EOL software, my advice is: Don't go it alone. 

**About the Author**

Vice President of Product, 1Password

Jason Meller is a Vice President of Product at 1Password and the founder of Kolide. He is the author of "honest.security" and has spent his career building tools and products that turn everyday people into the greatest resource available to security teams to solve the industry's most nuanced problems. Jason began his security and product career at GE's elite computer incident response team defending the organization from state-sponsored targeted attacks. From there, he moved to Mandiant, quickly working his way up from an entry-level analyst position to becoming the Chief Security Strategist in 2015. He later founded and served as the CEO of Kolide, a successful VC-backed authentication security company, until its acquisition by 1Password in 2024.

Put End-of-Life Software to Rest

The building management system suffers from an unauthenticated building/project name exposure.

ABB Cylon Aspect 3.08.01 (getApplicationNamesJS.php) Building/Project Name Exposure

A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.

Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.

While state-backed actors were emboldened following Russia's meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.

The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED's requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.

“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure."

According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.

In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn't inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.

The report cites an incident from March, for example, in which an unnamed US county “experienced a ransomware attack that forced it to purchase new network devices and reconnect to the state-level election system.” If such an attack occurred on or around Election Day, it could meaningfully disrupt voting.

More broadly, domestic security concerns in connection with the 2024 election have skyrocketed, fostering what DHS calls a “heightened threat environment.” Reporting by WIRED this month revealed that the agency has been issuing warnings to law enforcement across the US since summer, alarmed by the efforts of some extremists to mobilize and commit actual violence against elected officials, while targeting US voter ballots for destruction.

Other warnings show that concern is mounting over propaganda calling for Americans to engage in “civil war,” a narrative that DHS fears is raising the risk of domestic attacks. Threats tied to what the government calls “immigration-related grievances”—including the false narrative of “migrant invasion,” which is core to Donald Trump’s reelection efforts—have escalated this year, while expanding to ensnare federal judges and US border patrol officers deemed “traitors” among some antigovernment groups.

“Targeted violence and terrorism associated with ideologically motivated individuals will continue to be a threat through the 2024 election cycle,” says another intelligence report also obtained by WIRED. It warns, meanwhile, that “insider threats” affiliated with US election systems will “likely be an issue.”

Tag

#auth