UpGuard can now disclose that an Amazon S3 storage bucket containing publicly exposed backups of systems representing the intranet and web presence for Martin County, Florida has been secured. The dataset includes 1254 user account records, including password hashes for Martin County personnel including third-party IT vendors and six accounts for Martin County’s Supervisor of Elections office. Additionally, a Github access token was present among the publicly available data. In a battleground state during a presidential election cycle– in a state that George W. Bush won by 537 votes after the U.S. Supreme Court stopped a recount– this exposure illustrates the risk that data leaks from cloud storage pose to an electoral system already embattled by pandemic, foreign threat actors, and voter suppression.
Martin County is located in the Treasure Coast region north of Miami, with a population of around 140,000 residents. Like counties across the United States, Martin County is responsible for administering elections within its jurisdiction. And also like other counties, Martin makes use of IT infrastructure for some of the services they provide their constituents, and engages outside vendors to perform specialized web development work. These are the conditions that create the risk of data leaks– sensitive information inadvertently made public– and eventually lead to cases like this one.
Discovery
On September 18th, 2020, an UpGuard researcher discovered a publicly accessible cloud storage bucket named “martincounty”. The bucket contained two compressed SQL database backup files and a text file containing an authentication token tied to a project hosted on Github. Initial analysis of the contents indicated sensitive information was present, including account login credentials for the Martin County Supervisor of Elections and several other county elections employees. The UpGuard Data Leaks research team then began the process of notifying Martin County.
UpGuard Director of Risk Research, Chris Vickery, was able to get a message passed along to an attorney employed by Martin County, and received a phone call on September 22nd. Near the end of that call, the Martin County attorney requested a brief summary email from Vickery of details which would then be forwarded to the appropriate IT staff to review and fix.
Chris sent the requested email as well as a follow-up email a few hours later with additional specifics highlighting one of the precise settings responsible for the files being publicly accessible. Public access to the Martin County bucket was removed around noon PST on September 23rd.
Significance
After the publicly available files were decompressed and restored into a MySQL database instance, the contents revealed a significant collection of data related to the administration of Martin County IT systems. Most significantly, a “users” table contained information for 1,254 accounts with access to Martin systems. Approximately 1,200 of those accounts were for Martin County employees. Six accounts had email addresses at martinvotes.com, the official website for the Martin County Supervisor of Elections. The remaining accounts belonged to third parties related to the development and maintenance of the county web systems.
The data about each user included email address, hashed password, timestamps for the user’s creation date and last login. The password hashes were all unique, indicating they were not default passwords sometimes used in the set-up of a system, and the login dates were all around the same time as the file’s creation in 2017, again supporting what one would expect to see in real user data.
The databases also had many other tables related to the broader administration of county services, like audit logs for the actions performed by each user and errors. Those logs show two requests for documents from an IP address allocated to a Russian internet service provider. Further investigation by UpGuard analysts discovered that this IP address had been flagged as the origin of SMB2 exploitation attempts in the past, unrelated to Martin County, but UpGuard is unable to corroborate the anonymous source of that flagging.
Conclusion
What a threat actor could accomplish with this data is unknown, but the nature of the data raises some potential scenarios. Hashed passwords, particularly common passwords, can potentially be cracked and made legible as plaintext again. Detailed logs of county employee’s interactions with the site, and a list of email addresses and user roles, provide fodder for social engineering attacks. What access election officials have to voter data is unknown, but this database was created in 2017, during the current election cycle. And as social media platforms have made clear in their recent policy changes warning against false claims that a candidate has already won, access to voting data isn’t necessary to have an adverse effect on free elections. Disinformation about voting sites, times, and election results can all affect elections, and that is also information distributed by counties, in part through their websites.
Hear directly from our research team at Protecting the Vote 2020, our live virtual event.
