Security Performance Management

BitSight Data Highlights Vaccine Developer Vulnerabilities

Jake Olcott | July 17, 2020

As the biomedical community rushes to develop vaccines to combat COVID-19, malicious actors are seeking to steal the sensitive intellectual property that underpins treatment.

In light of these threats, BitSight seeks to understand how the world’s Covid-19 vaccine manufacturers are performing when it comes to cybersecurity.  For this study, we looked at 17 companies of varying size who have been publicly recognized for playing a big role in the global search for a Covid-19 vaccine. Five of these companies have more than 100,000 employees, four companies have between 10,000 and 100,000 employees, four companies have between 1,000 and 2,000 employees and four companies have 200 or fewer employees.

For these companies, we find a number of security issues (as of June 1, 2020). These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern.

Background

This week, the UK's National Cyber Security Centre (NCSC) said Russian hackers “almost certainly" operating as "part of Russian intelligence services" used malware to try and steal information relating to Covid-19 vaccine development. According to the NCSC, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified.

Months ago the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable intellectual property and public health data related to vaccines, treatments, and testing.”  And in May, Reuters reported that Iran-linked hackers had targeted Gilead Sciences, makers of the promising antiviral drug Remdesivir.

Security Issues

Our primary findings can be divided into four categories: Compromised Systems, Open Ports , Vulnerabilities and Web Application Security. We provide some background information on each of these issues below.

Compromised Systems

A Compromised System according to our definition is a machine running malicious software (e.g. a member of a Botnet) or a system running software that user likely did not intentionally install i.e. Potentially Unwanted Software (PUA) or in our parlance “Potentially Exploited”). We also track computers which send Spam and computers behaving in abnormal ways (Unsolicited Communications) - both types of behaviors are also indicative of a compromised machine.

Looking at the recent history of these companies, we see that a significant fraction of these companies have had Compromised Systems in the past year.

Risk Vector

Companies impacted in the past year

Companies impacted in the past six months

Botnet

8

7

Potentially Exploited

9

8

Spam

5

3

Unsolicited Communications

3

3

 

The presence of compromised systems is evidence of security controls failing to prevent malicious or unwanted software from running within an organization. This suggests that there are control failures that could potentially be exploited by adversaries seeking access.

Open Ports

An Open Port is a system which exposes insecure service to the open internet. Generally these types of services should either never be used or never exposed outside of a company’s firewall. For example, Telnet is a service which allows users to access another computer using an unencrypted connection. Database technologies such as MySQL should always be behind a company’s firewall. Exposing these services allows an attacker to identify potential access points into a company’s network.

The table below shows some of the services that we found running on IP addresses associated with these companies.

Service

Company Count

Cisco SMI

2

Recursive DNS

4

Telnet

5

Microsoft RDP

7

Exposed Printers

1

SMB

4

Exposed Databases MySQL, MS SQL or Postgres SQL

5

VNC

1

LDAP

7

 

None of the services listed above should be exposed outside of a company’s firewall. Of these services, Microsoft RDP is one of the most worrisome. Last year, the BlueKeep vulnerability (see BitSight’s blog post on it) impacted a larger number of systems running RDP. More ominously, Ransomware operators are probing exposed RDP devices to try to infect corporate networks (see here for more information).

Vulnerabilities

A Vulnerability means that the company has a machine exposed to the internet which can be shown to possess a known software bug. A large fraction of known vulnerabilities are tracked using the CVE system (CVE = Common Vulnerabilities and Disclosures) and most of these can be found in the NVD database run by NIST. Vulnerabilities with CVE numbers are given a score (CVSS score) which provides an estimate of how severe the vulnerability is.

BitSight collects data on a wide variety of vulnerabilities. 14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.

Companies with any vulnerabilities

14

Companies with one of more vulnerabilities with CVSS score > 5

11

Companies with one of more vulnerabilities with CVSS score > 7

6

Companies with one of more vulnerabilities with CVSS score > 8

6

Companies with one of more vulnerabilities with CVSS score > 9

6

Companies with more than 10 active vulnerabilities

10

 

Web Application Security Issues

Web Application Security issues are related to how well companies configure the web pages that they publish. Common errors include insecure redirects from HTTPS (secure) to HTTP (insecure), insecure authentication and mixed secure and insecure content on the same web page. Many of these companies have one of more of these issues.

Correctly configured headers protects against malicious behavior, such as man-in-the-middle (MITM) and cross-site scripting (XSS) attacks, and prevents attackers from eavesdropping and capturing sensitive data, such as credentials, corporate email, and customer data.

Issue

Company Count

Insecure Authentication via HTTP

5

Redirect from HTTPS to HTTP

10

HTTP links in an HTTPS document (mixed secure and insecure content)

15

 

Conclusion

In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.

Hackers will continue to meddle with these efforts, placing pressure on already stretched security leaders to go beyond conventional detect and respond approaches to cyber threats. Instead, they must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.

Read our white paper to learn more about how you can protect your attack surface.

New call-to-action

Suggested Posts

How to Make More Informed, Data-Driven Security Decisions

Data can be the key to making more informed, strategic cybersecurity decisions — and ensuring you’re spending your security dollars effectively. In order to get the most out of your increasingly limited security resources and meet or...

READ MORE »

The Latest Cybersecurity Trends in State Government Entities

It should come as no surprise that the cybersecurity landscape has been changing dramatically throughout the year 2020. According to BitSight research, up to 85% of the workforce in some industries has shifted to remote work in response to...

READ MORE »

Driving Operational Efficiency in Your Remediation Process

Let’s face it: In order to get the most out of your limited time and resources, you need to rethink the traditional processes you have in place throughout your risk management program — from the initial discovery and assessment phases to...

READ MORE »

Subscribe to get security news and updates in your inbox.