Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
Cyberattacks on Distribution of Coronavirus Vaccines
IBM’s threat intelligence research task force (named “X-Force”) has identified a series of cyberattacks aimed at the logistics of the distribution of coronavirus vaccines. Various companies and government organizations have been targeted, with speculation for the attackers’ motivation ranging from theft of intellectual property to ransomware deployed to delay vital COVID-19 vaccine shipments. The targeted attacks reportedly started in September 2020, involving an elaborate web of email impersonations and spear phishing attacks. The phishing emails posed as requests for quotations (RFQs) related to the UNICEF’s cold chain equipment logistics program. The emails contained malicious HTML attachments that prompted recipients to enter their credentials to view the files, at which point the userids/passwords could be stolen.
Nick Rossman, Global Lead for Threat Intelligence with IBM Security X-Force, observed that the cyber attackers “were working to get access to how the vaccine is shipped, stored, kept cold and delivered. We think whoever is behind this wanted to be able to understand the entire cold chain process.” The extreme cold storage and shipment requirements for the various COVID-19 vaccines currently in distribution or development – coupled with the massive volumes of vaccine required – make the cold chain process particularly sensitive.
While the X-Force report did not allege any particular origin of the attacks, state-sponsored actors are suspected to be behind the scheme, likely from Russia or North Korea.
IBM has posted a blog summarizing their findings on the Security Intelligence website. The report was sufficiently alarming to prompt the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a bulletin about the incident as well, in order to help raise awareness and preparedness.
SANS Annual Holiday Hack-a-thon
The SANS Institute is holding its free, annual holiday hacking challenge again for 2020. Billed as a “festive way to learn new technical skills, get inspired, and connect with people who love cyber challenges and cheerful skill building,” SANS reports that over 10,000 registrations have been received already, and participation is likely to eclipse last year’s record enrolment of over 20,000 people around the world.
This year’s cybersecurity competition features an adventure-style challenge to save the season from holiday super villains and “KringleCon 3”, a virtual cybersecurity conference held during the challenge event.
All skill levels are welcome, and the prizes include a SANS course (valued at up to US$7000) or a four-month subscription to NetWars Continuous, SANS’ online training and challenge portal. Visit https://holidayhackchallenge.com/2020 for full details.
U.S. Treasury Department Emails Hacked
According to a December 13 Reuters report, Russian-based hackers are suspected of silently monitoring internal emails at the U.S. Treasury Department and the Commerce Department’s National Telecommunications and Information Administration (NTIA). Although it was only discovered recently, the breach may have happened as long ago as summer 2020, meaning that months of Office 365 emails may have been compromised.
According to multiple sources, the cyber criminals – believed to be affiliated with the APT29 hacker organization – may have hacked several other government agencies using similar tactics. The incident is considered to be so serious that it prompted the National Security Council to meet at the White House on December 12, according to the report.
The full scope of the breach is still to be determined. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are investigating the matter.
Researchers Turn Robot Vacuum Cleaner Into Spying Device
Four researchers at the National University of Singapore and one from the University of Maryland have published a paper outlining how they hijacked a Xiaomi Roborock robotic vacuum cleaner to listen in on conversations. Their paper, published at the ACM SenSys 2020 conference in Japan, demonstrates the use of “lidar” technology to enable the vacuum to capture sounds in the same room as the robotic device – even though the vacuum is not equipped with a microphone or other audio equipment.
Lidar (a term combining “light” and “radar”) is a method for estimating distances by measuring the wavelength and travel times of a laser light reflecting off a target. In robotic vacuums like the Roborock, lidar technology is intended to be used to control the path and navigation of the robot around a room. The researchers re-configured the vacuum to use the lidar sensor to collect and record the “sound energy in the environment [that] is partially induced on nearby objects creating subtle physical vibrations within those solid media” – software was then used to convert those recordings into human-recognizable sounds.
In the study, the researchers gathered some 30,000 sound bites over the course of 19 hours of recordings, and used a “deep-learning algorithm-drive recovery process” to decipher the sounds, which included conversations and recorded music in the room. The team reported an impressive 90% success rate in converting the data into comprehensible sounds.
The attack is more of a “proof-of-concept” rather than a particularly likely or imminent danger to one’s home security. An attacker would have to compromise the vacuum cleaner by installing firmware updates as well as breaching the owner’s Wi-Fi network, then running the eavesdropping exercise under favourable conditions (e.g., minimal background noise, room furnishings, lighting, etc.) The case study is a reminder, however, of the importance of securing home-based devices and networks, and being diligent about the ever-growing numbers of IoT devices around us. Lidar technology is rapidly becoming mainstream, as it is featured in the latest generation of Apple iPhone 12 smartphones (in order to improve the low-light sensitivity of the onboard cameras).