In a recently released report by the UK National Cyber Security Centre (NCSC), whose findings have been backed by Canada’s Communications Security Establishment (CSE) and the US NSA and CISA (Cybersecurity and Infrastructure Security Agency), the agency has warned about active cyber attacks targeting biomedical organizations that are involved in the development of a COVID-19 vaccine.
On Friday, BitSight researchers shared the results of a study that looked for detectable security issues at a number of companies who play a big role in the global search for a vaccine, and found compromised systems, open ports, vulnerabilities and web application security issues.
Biomedical orgs under attack
The report details recent tactics, techniques and procedures (TTPs) used by APT29 (aka “Cozy Bear”), which the NCSC and the CSE believe to be “almost certainly part of the Russian intelligence services.”
The agencies believe that the group is after information and intellectual property relating to the development and testing of COVID-19 vaccines.
“In recent attacks (…), the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified,” the report states.
Among the flaws exploited by the group are CVE-2019-19781 (affecting Citrix’s Application Delivery Controller (ADC) and Gateway), CVE-2019-11510 and CVE-2018-13379 (affecting Pulse Secure VPN endpoints and Fortigate SSL VPN installations, respectively) and CVE-2019-9670 (affecting the Synacor Zimbra Collaboration Suite).
The group also uses spear-phishing to obtain authentication credentials to internet-accessible login pages for target organizations.
After achieving persistence through additional tooling or legitimate credentials, APT 29 uses custom malware (WellMess and WellMail) to execute arbitrary shell commands, upload and download files, and run commands or scripts with the results being sent to a hardcoded Command and Control server. They also use some malware (SoreFang) that has been previously used by other hacking groups.
The report did not identify the targeted organizations nor did it say whether the attacks were successful and whether any information and IP has been stolen.
Biomedical orgs open to cyber attacks
As many security researchers pointed out, Russian cyber espionage groups aren’t the only ones probing these targets, so these organizations should ramp up their security efforts.
BitSight researchers have recently searched for security issues that attackers might exploit. They’ve looked at 17 companies of varying size that are involved in the search for a COVID-19 vaccine, and found:
- 25 compromised or potentially compromised machines (systems running malware/bots, potentially unwanted applications, spam-sending machines and computers behaving in abnormal ways) in the past year
- A variety of open ports (i.e., exposed insecure services that should be never exposed outside of a company’s firewall): Telnet, Microsoft RDP, printers, SMB, exposed databases, VNC, etc., which can become access points into a company’s network
- Vulnerabilities. “14 of the 17 companies have vulnerabilities and six of them have very serious vulnerabilities (CVSS score > 9). 10 companies have more than 10 different active vulnerabilities.”
- 30 web application security issues (e.g., insecure authentication via HTTP, insecure redirects from HTTPS to HTTP, etc.) that could be exploited by attackers to eavesdrop on and capture sensitive data, such as credentials, corporate email, and customer data.
“These findings are not abnormal when compared to other groups of large companies (e.g. the Fortune 1000), but given the heightened threat environment, they do provide cause for concern,” the researchers pointed out.
“It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.”