Ex-FBI employee jailed for taking classified material home
Also: a PII harvest at Dole's server farm, military members mailed mystery smartwatches, and this week's critical vulns
Infosec in brief In a case startlingly similar to charges recently unsealed against one-term US president Donald Trump, a former FBI analyst has been jailed for taking sensitive classified material home with her.
As with Trump, Kendra Kingsbury was charged under the Espionage Act. In Kingsbury's case, it was two counts of unlawfully retaining documents related to national defense, which landed her with a 46-month prison sentence and three years of supervised release.
Kingsbury pleaded guilty to the charges, which alleged she took documents home throughout the course of her 12-year employment with the FBI, where she held a Top Secret/SCI security clearance.
The Department of Justice said Kingsbury removed a total of 386 classified documents to her home, which included sensitive national security information that the DoJ said could have "revealed some of the government's most important and secretive methods of collecting essential national security intelligence" in the wrong hands.
Kingsbury stored documents on multiple forms of electronic media pertaining to a number of intelligence activities – including counter-terrorism and defense against cyber threats, the DoJ said.
Kingsbury also retained information related to Al Qaeda in Africa and individual terrorists associated with it, as well as "intelligence gaps regarding hostile foreign intelligence services and terrorist organizations and the technical capabilities of the FBI against counterintelligence and counterterrorism targets," per the DoJ.
As for why she did it, the DoJ said its investigation only turned up "more questions and concerns than answers."
Officials found a number of what they described as "suspicious calls" to phone numbers associated with subjects of counter-terrorism officials – some of whom even called Kingsbury back. The DoJ said it's been unable to figure out why those calls were placed, and that Kingsbury declined to share any details.
As for the Florida man, he is expected in court to fight the charges, which he denies, in mid-August.
Critical vulnerabilities: ASUS router edition
There's plenty of critical vulnerabilities, and associated patches, to point out this week. But the highlight belongs to ASUS, which released a considerable number of firmware updates for 19 of its routers. Among the issues fixed were nine CVEs, several critical – including one that's five years old.
Also addressed this week:
- VMware released updates for vCenter Server and Cloud Foundation that fix a quintet of CVEs with severity scores as high as a CVSS 8.1 that can cause memory corruption in vCenter Server.
- Fortinet released a patch for CVE-2023-33299, CVSS 9.6, which addresses a deserialization of untrusted data bug in FortiNAC that can lead to unauthorized code or command execution.
CISA identified two new critical ICS vulnerabilities:
- CVSS 9.8 – Multiple CVEs: Advantech's router monitoring tool R-SeeNet contains a hard-coded credentials and allows low-privilege users to access and load content of local files, both of which can give an unauthorized user access.
- CVSS 9.8 – Multiple CVEs: Econolote's EOS traffic controller software uses a weak hash and requires no password for read-only access to sensitive files. If exploited, this could be used to take control of traffic lights.
CISA also spotted three critical vulnerabilities being exploited in the wild this week:
- CVSS 9.8 – CVE-2023-20877: VMware's Aria Operations for Networks contains a command injection vulnerability.
- CVSS 9.8 – CVE-2021-44026: Webmail service Roundcube, specifically versions before 1.3.17 and v.1.4.x before 1.4.12 are prone to SQL injection via search and search_params.
- CVSS 9.8 – CVE-2020-12641: In Roundcube's second mention of the week, its rcube_image.php file in versions prior to 1.4.4 allow attackers to execute arbitrary code by exploiting shell metacharacter config settings.
Dole admits ransomware crooks picked a peck of employee PII
After experiencing a "cybersecurity incident" that it identified as ransomware in February, fruit packager Dole is sending letters to employees to let them know some sensitive stuff was stolen.
According to information Dole provided to the Maine attorney general, a total of 3,885 US employees had data – including names, employment info, SSN, address, phone number, passport information and other sensitive details – stolen in the February heist.
Dole noted the stolen information varies by individual, and that it doesn't believe the data "was or will be subject to any fraudulent misuse," which in corpspeak equates to "don't worry – we paid the ransom and we totally trust these hackers at their word."
Dole hasn't said whether it paid the ransom, or how much the unidentified perps demanded, but it did say in its Q1 2023 financial statement [PDF] that the "direct costs related to the incident were $10.5 million of which $4.8 million related to continuing operations."
US Army says unsolicited smartwatch mail mystery afoot
It goes without saying, but if you get an unsolicited electronic device in the mail, don't turn it on. That goes doubly for members of the Armed Forces, who've recently been getting mystery smartwatches in the mail, the US Army Criminal Investigation Division (CID) said this week.
"These smartwatches, when used, have auto-connected to Wi-Fi and begun connecting to cell phones unprompted, gaining access to a myriad of user data," the CID warned.
- Guess what happened to this US agency using outdated software?
- Hold it – another vulnerability found in MOVEit file transfer software
- Toyota admits to yet another cloud leak
- 40% of IT security pros say they've been told not to report a data leak
Investigators say the watches "may" contain malware, but it's hard to see the point of the scheme otherwise – especially if the end result is a compromised device belonging to someone with a security clearance. The CID said the mystery watches could also be part of a "brushing" scam in which sellers send goods – often cheap junk – to random people in order to fake positive reviews on ecommerce sites.
Regardless – soldier, sailor, airman, marine or civilian – don't turn it on. If you are in the military, the CID urges you to report the devices to your local counterintelligence or security manager.
Tsunami of malware hits Linux SSH servers
Miscreants are conducting a campaign to infest poorly managed SSH servers with a variety of malware, according to researchers at the AhnLab Security Emergency response Center (ASEC).
Cybercriminals attack SSH because the protocol allows secure login to remote machines – an obviously useful facility for crooks. According to ASEC's researchers, the tool is often poorly managed and therefore attracts attacks. In March 2023 ASEC spotted attacks on SSH by threat group ChinaZ that installed various DDoS bots. In 2022, Fortinet detailed another attack on Linux SSH servers, on that occasion with malware called "RapperBot" that brute-forced its way into IoT devices.
The current campaign detected by ASEC saw crooks install Tsunami – also known as Kaiten – malware that allows full remote control of an infected computer. This campaign also sometimes involves installation of ShellBot – a DDoS botnet developed using the Perl programming language – the XMRig Monero coin miner, and privilege escalation malware in the Executable and Linkable Format (ELF) for gaining control of the targeted system, ASEC researchers wrote in a report.
MIG Logcleaner v2.0 is also installed and its name explains why – the malware is used to delete or modify specific logs within files, making it more difficult for analysts to detect and track the attack.
The source code for Tsunami is publicly available and threat groups will modify it and add features to fit their needs. In the campaign ASEC explored, the attackers used a variant named Ziggy.
While SSH allows admins to remotely log into a system, they need credentials to do so.
"If simple account credentials [like user IDs and passwords] are used in a Linux system, a threat actor can log into the system through brute force or a dictionary attack, allowing them to execute malicious commands," the researchers wrote.
This includes scanning the internet for publicly exposed Linux SSH servers and using known account credentials to run the attacks and log in, followed by executing a command to download the malware. The attackers were also seen writing new public and private SSH keys to ensure continued access to the infected system.
Tsunami also ensures persistence in the compromised system by writing itself onto the "/etc/rc.local" file so that it continues to run even after the system reboots.
Once in, Tsunami can not only run DDoS attacks but also other tasks, including collecting system information and downloading additional payloads, all while communicating with its command-and-control (C&C) server via the IRC protocol, a decades-old internet chat protocol.
"Additionally, information such as the C&C address and the channel password are encrypted and saved. Tsunami decrypts and retrieves the strings it needs during its execution," ASEC wrote. "There are two C&C server addresses, and Tsunami randomly selects one of them to attempt a connection."
To protect systems against such attacks, the researchers reiterated the need for difficult-to-guess account passwords that are changed periodically and to keep the system patches up to date. Enterprises also should employ firewalls. ®