BitSight Data Highlights Vaccine Developer Vulnerabilities
Jake Olcott | July 17, 2020
As the biomedical community rushes to develop vaccines to combat COVID-19, malicious actors are seeking to steal the sensitive intellectual property that underpins treatment.
In light of these threats, BitSight seeks to understand how the world’s Covid-19 vaccine manufacturers are performing when it comes to cybersecurity. For this study, we looked at 17 companies of varying size who have been publicly recognized for playing a big role in the global search for a Covid-19 vaccine. Five of these companies have more than 100,000 employees, four companies have between 10,000 and 100,000 employees, four companies have between 1,000 and 2,000 employees and four companies have 200 or fewer employees.
For these companies, we find a number of security issues (as of June 1, 2020). These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern.
This week, the UK's National Cyber Security Centre (NCSC) said Russian hackers “almost certainly" operating as "part of Russian intelligence services" used malware to try and steal information relating to Covid-19 vaccine development. According to the NCSC, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified.
Months ago the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable intellectual property and public health data related to vaccines, treatments, and testing.” And in May, Reuters reported that Iran-linked hackers had targeted Gilead Sciences, makers of the promising antiviral drug Remdesivir.
Our primary findings can be divided into four categories: Compromised Systems, Open Ports , Vulnerabilities and Web Application Security. We provide some background information on each of these issues below.
A Compromised System according to our definition is a machine running malicious software (e.g. a member of a Botnet) or a system running software that user likely did not intentionally install i.e. Potentially Unwanted Software (PUA) or in our parlance “Potentially Exploited”). We also track computers which send Spam and computers behaving in abnormal ways (Unsolicited Communications) - both types of behaviors are also indicative of a compromised machine.
Looking at the recent history of these companies, we see that a significant fraction of these companies have had Compromised Systems in the past year.
Companies impacted in the past year
Companies impacted in the past six months
The presence of compromised systems is evidence of security controls failing to prevent malicious or unwanted software from running within an organization. This suggests that there are control failures that could potentially be exploited by adversaries seeking access.
An Open Port is a system which exposes insecure service to the open internet. Generally these types of services should either never be used or never exposed outside of a company’s firewall. For example, Telnet is a service which allows users to access another computer using an unencrypted connection. Database technologies such as MySQL should always be behind a company’s firewall. Exposing these services allows an attacker to identify potential access points into a company’s network.
The table below shows some of the services that we found running on IP addresses associated with these companies.
Exposed Databases MySQL, MS SQL or Postgres SQL
None of the services listed above should be exposed outside of a company’s firewall. Of these services, Microsoft RDP is one of the most worrisome. Last year, the BlueKeep vulnerability (see BitSight’s blog post on it) impacted a larger number of systems running RDP. More ominously, Ransomware operators are probing exposed RDP devices to try to infect corporate networks (see here for more information).
A Vulnerability means that the company has a machine exposed to the internet which can be shown to possess a known software bug. A large fraction of known vulnerabilities are tracked using the CVE system (CVE = Common Vulnerabilities and Disclosures) and most of these can be found in the NVD database run by NIST. Vulnerabilities with CVE numbers are given a score (CVSS score) which provides an estimate of how severe the vulnerability is.
BitSight collects data on a wide variety of vulnerabilities. 14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.
Companies with any vulnerabilities
Companies with one of more vulnerabilities with CVSS score > 5
Companies with one of more vulnerabilities with CVSS score > 7
Companies with one of more vulnerabilities with CVSS score > 8
Companies with one of more vulnerabilities with CVSS score > 9
Companies with more than 10 active vulnerabilities
Web Application Security Issues
Web Application Security issues are related to how well companies configure the web pages that they publish. Common errors include insecure redirects from HTTPS (secure) to HTTP (insecure), insecure authentication and mixed secure and insecure content on the same web page. Many of these companies have one of more of these issues.
Correctly configured headers protects against malicious behavior, such as man-in-the-middle (MITM) and cross-site scripting (XSS) attacks, and prevents attackers from eavesdropping and capturing sensitive data, such as credentials, corporate email, and customer data.
Insecure Authentication via HTTP
Redirect from HTTPS to HTTP
HTTP links in an HTTPS document (mixed secure and insecure content)
In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.
Hackers will continue to meddle with these efforts, placing pressure on already stretched security leaders to go beyond conventional detect and respond approaches to cyber threats. Instead, they must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.
Read our white paper to learn more about how you can protect your attack surface.
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...
Digital risk protection (DRP) solutions can be powerful operational tools for security analysts and threat researchers looking to identify and address existing cyber risk exposures quickly. While these solutions can provide valuable...
Did you know that 60% of breaches involve vulnerabilities for which a patch was available but not applied? Now, as business-targeted cyber attacks are on the rise, the ability to mitigate security vulnerabilities quickly and effectively is...