Security Performance Management

BitSight Data Highlights Vaccine Developer Vulnerabilities

Jake Olcott | July 17, 2020

As the biomedical community rushes to develop vaccines to combat COVID-19, malicious actors are seeking to steal the sensitive intellectual property that underpins treatment.

In light of these threats, BitSight seeks to understand how the world’s Covid-19 vaccine manufacturers are performing when it comes to cybersecurity.  For this study, we looked at 17 companies of varying size who have been publicly recognized for playing a big role in the global search for a Covid-19 vaccine. Five of these companies have more than 100,000 employees, four companies have between 10,000 and 100,000 employees, four companies have between 1,000 and 2,000 employees and four companies have 200 or fewer employees.

For these companies, we find a number of security issues (as of June 1, 2020). These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern.

Background

This week, the UK's National Cyber Security Centre (NCSC) said Russian hackers “almost certainly" operating as "part of Russian intelligence services" used malware to try and steal information relating to Covid-19 vaccine development. According to the NCSC, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified.

Months ago the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable intellectual property and public health data related to vaccines, treatments, and testing.”  And in May, Reuters reported that Iran-linked hackers had targeted Gilead Sciences, makers of the promising antiviral drug Remdesivir.

Security Issues

Our primary findings can be divided into four categories: Compromised Systems, Open Ports , Vulnerabilities and Web Application Security. We provide some background information on each of these issues below.

Compromised Systems

A Compromised System according to our definition is a machine running malicious software (e.g. a member of a Botnet) or a system running software that user likely did not intentionally install i.e. Potentially Unwanted Software (PUA) or in our parlance “Potentially Exploited”). We also track computers which send Spam and computers behaving in abnormal ways (Unsolicited Communications) - both types of behaviors are also indicative of a compromised machine.

Looking at the recent history of these companies, we see that a significant fraction of these companies have had Compromised Systems in the past year.

Risk Vector

Companies impacted in the past year

Companies impacted in the past six months

Botnet

8

7

Potentially Exploited

9

8

Spam

5

3

Unsolicited Communications

3

3

 

The presence of compromised systems is evidence of security controls failing to prevent malicious or unwanted software from running within an organization. This suggests that there are control failures that could potentially be exploited by adversaries seeking access.

Open Ports

An Open Port is a system which exposes insecure service to the open internet. Generally these types of services should either never be used or never exposed outside of a company’s firewall. For example, Telnet is a service which allows users to access another computer using an unencrypted connection. Database technologies such as MySQL should always be behind a company’s firewall. Exposing these services allows an attacker to identify potential access points into a company’s network.

The table below shows some of the services that we found running on IP addresses associated with these companies.

Service

Company Count

Cisco SMI

2

Recursive DNS

4

Telnet

5

Microsoft RDP

7

Exposed Printers

1

SMB

4

Exposed Databases MySQL, MS SQL or Postgres SQL

5

VNC

1

LDAP

7

 

None of the services listed above should be exposed outside of a company’s firewall. Of these services, Microsoft RDP is one of the most worrisome. Last year, the BlueKeep vulnerability (see BitSight’s blog post on it) impacted a larger number of systems running RDP. More ominously, Ransomware operators are probing exposed RDP devices to try to infect corporate networks (see here for more information).

Vulnerabilities

A Vulnerability means that the company has a machine exposed to the internet which can be shown to possess a known software bug. A large fraction of known vulnerabilities are tracked using the CVE system (CVE = Common Vulnerabilities and Disclosures) and most of these can be found in the NVD database run by NIST. Vulnerabilities with CVE numbers are given a score (CVSS score) which provides an estimate of how severe the vulnerability is.

BitSight collects data on a wide variety of vulnerabilities. 14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.

Companies with any vulnerabilities

14

Companies with one of more vulnerabilities with CVSS score > 5

11

Companies with one of more vulnerabilities with CVSS score > 7

6

Companies with one of more vulnerabilities with CVSS score > 8

6

Companies with one of more vulnerabilities with CVSS score > 9

6

Companies with more than 10 active vulnerabilities

10

 

Web Application Security Issues

Web Application Security issues are related to how well companies configure the web pages that they publish. Common errors include insecure redirects from HTTPS (secure) to HTTP (insecure), insecure authentication and mixed secure and insecure content on the same web page. Many of these companies have one of more of these issues.

Correctly configured headers protects against malicious behavior, such as man-in-the-middle (MITM) and cross-site scripting (XSS) attacks, and prevents attackers from eavesdropping and capturing sensitive data, such as credentials, corporate email, and customer data.

Issue

Company Count

Insecure Authentication via HTTP

5

Redirect from HTTPS to HTTP

10

HTTP links in an HTTPS document (mixed secure and insecure content)

15

 

Conclusion

In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.

Hackers will continue to meddle with these efforts, placing pressure on already stretched security leaders to go beyond conventional detect and respond approaches to cyber threats. Instead, they must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.

Read our white paper to learn more about how you can protect your attack surface.

New call-to-action

Suggested Posts

Lessons Learned From The Garmin Cyberattack

In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...

READ MORE »

What is Digital Risk Protection?

Digital risk protection (DRP) solutions can be powerful operational tools for security analysts and threat researchers looking to identify and address existing cyber risk exposures quickly. While these solutions can provide valuable...

READ MORE »

Enhance Vulnerability Mitigation With Security Performance Management

Did you know that 60% of breaches involve vulnerabilities for which a patch was available but not applied? Now, as business-targeted cyber attacks are on the rise, the ability to mitigate security vulnerabilities quickly and effectively is...

READ MORE »

Subscribe to get security news and updates in your inbox.