The biomedical community is spending a lot of time creating a vaccine to protect against SARS-CoV-2 and finding new cures for COVID-19. Cybercriminal groups and nation-state hackers and are focusing their campaigns against those organizations to get research information.
Lately, security agencies in Canada, the United States, and the United Kingdom published an advisory regarding the attack of Russian state-sponsored hackers on institutions engaged in COVID-19 study and vaccine creation. The security agencies discovered information that the APT29 Russian hacking group was actively scanning the external IP addresses of the organizations engaged in the COVID-19 study and vaccine development. Also, the information stated that hackers are connected with the Russian intelligence services.
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI also released a joint advisory stating that the hackers associated to China were doing the same attacks on pharmaceutical firms and academic research centers to get intellectual property and sensitive information relevant to COVID-19. There were also information about hackers from Iran that carry out identical attacks.
Considering the latest attacks and targeting of research centers, BitSight carried out an investigation to assess the COVID-19 vaccine producers and biomedical firms with regards to their capability to protect their programs and information from hackers. BitSight researchers evaluated 17 firms that played a big role in COVID-19 research and development of vaccines. Those firms included small companies having less than 200 workers and big companies having over 200,000 workers.
BitSight discovered a number of security vulnerabilities that hackers could exploit to access data related to intellectual property, the vaccine and the COVID-19 study. The security vulnerabilities fall under four aspects: Open ports, web app security, unpatched vulnerabilities, and systems that were already compromised.
BitSight discovered 8 of the 17 firms had compromised systems last year and their computer systems were made part of a botnet. Seven firms had their computers included in a botnet in the last 6 months. BitSight looked for software operating on the systems not installed by the firms. Nine company systems had these Potentially Unwanted Programs (PUPs)and 8 firms had PUPS installed in the last 6 months. Five firms had computers used to send spam and the investigators discovered unsolicited messages at three firms. Compromised systems indicate the failure of the companies’ security controls and the likelihood that the companies may or were already hacked by people trying to get COVID-19 data access.
Most firms had open ports that showed insecure services online, which include 7 firms having exposed Microsoft RDP and 7 more with LDAP compromised. 5 firms had insecure MySQL, MS SQL or Postgres SQL databases and 5 more had a compromised Telnet service. The compromised Microsoft RDP was of distinct concern because hackers and ransomware groups are actively looking for compromised RDP devices.
Of the 17 firms, 14 had unpatched vulnerabilities that hackers could possibly exploit remotely. 10 firms had over 10 unpatched vulnerabilities, 6 of which had unpatched vulnerabilities with a greater than 9 CVSS score.
Web application security concerns were additionally prevalent, for example, insecure redirects from HTTPS to HTTP, a combination of secure and insecure information on websites and insecure authentication. A lot of the firms had at least one web application security problem. These security concerns put the companies in danger of cross-site scripting and man-in-the-middle attacks, which could probably allow hackers to capture sensitive information, get credentials, and compromise email systems.
Knowing about these threats, the bioscience community needs to improve its cyber vigilance. A hacker could gain access to systems with just a misconfigured software, unintentionally insecure port, or a vulnerable remote office system and get scientific data, intellectual property, and the personal information of individuals engaged in clinical trials. Companies should review basic cybersecurity hygiene procedures and find established and efficient methods to continually find and deal with risk exposure — throughout the expanded attack surface and third-party environment. This is to ensure the prioritization of remediation and life-saving science development.