COVID vaccine trials

Grappling with COVID-Themed Cyber Attacks: Pharmaceutical Sector

 

The pharmaceutical industry has been in the crosshairs of cyber attacks, more frequently than ever, in the last few years. The industry appeals to cybercrooks, who are motivated by financial gains, as they generate and manage some of the most sensitive data. State-sponsored actors, with the support of governments and with the intention of settling scores with other countries, target their healthcare industries. In the event of a full-scale cyberattack, the pharmaceutical sector could incur huge losses, both financially and in terms of its invaluable data. The data, which includes Intellectual Property (IP) of patients, is then invariably sold on the dark web or held “hostage” for ransom. 

As a result, the affected organization sustains:

  • Legal penalties, 
  • Fines, 
  • Damage to business, brand reputation,
  • Lack of confidence in customers,
  • Declining revenue,
  • Network, utility outages,
  • Risk of supply chain disruption.

Recent COVID- Themed Cyber Attacks Based on the Region

India and APAC

Indian pharmaceutical giant Lupin confirmed a security incident that impacted its IT systems in November 2020 after a similar ransomware attack targeted Dr. Reddy’s Laboratories. The recent surge in cyber attacks in the Indian pharmaceutical sector is also because they are in the process of delivering affordable medicine on a large scale, owing to COVID-19. 

Interestingly enough, the ransomware attack that hit Dr. Reddy’s was soon after the company had received DCGI’s (Drug Control General of India) approval to conduct clinical trials of the Russian Sputnik-V vaccine. The personal information of individuals who participate in clinical trials are also at a risk of data exposure. Such attacks aim to derail the race towards a successful vaccine in India as well as other countries. The surge in cyber attacks against pharmaceutical companies in the APAC (Asia-Pacific) region has cost the industry close to $23 Million. 

Europe

From a global perspective as well, cyber crimes are increasingly targeting pharmaceutical companies. Recently, several European pharmaceuticals such as Swiss giant Roche, were attacked by a hacking group dubbed Blackfly. The activities of this group was traced back to China and it points to the conclusion that these attacks were state-sponsored. Blackfly, also known as the Winnti Group, deploys Winnti malware in all of their attacks, a malware known for its supply chain attacks. European manufacturers BASF and Henkel were also victims of the same ransomware group. 

Moreover, drug regulators like EMA (European Medicines Agency) have also not been spared from cyber attacks. The EU Drug regulator EMA confirmed that it was hit by a cyber attack and that the actors managed to access documents related to a COVID-19 vaccine. German biotechnology company BioNTech is in the process of developing a vaccine to treat COVID-19 along with strategic partner Pfizer. The duo suffered a cyber attack earlier this month and confirmed that its regulatory submission was accessed. 

Although EMA didn’t agree to the nature of the attack, it stated that few documents related to the regulatory submission by Pfizer and BioNtech vaccine candidates, stored on the EMA server, have been viewed. The timing of these attacks was impeccable, as EMA was working on getting the approval for 2 COVID-19 vaccines and it could have had devastating effects on the entire process. 

America 

The US drug regulatory authority FDA (Food and Drug Administration), however, outsmarted threat actors looking to steal data from them and had COVID-19 related sensitive documents delivered to them physically through FBI agents. 

Experts across the globe have traced most COVID-related attacks on pharmaceuticals back to China, North Korea, and Russia. And although the victims of these attacks have not been named, we can confirm that at least some of these companies were infiltrated successfully. 

Countries like India, UK, US, Canada, France and South Korea are all at different stages of clinical trials and development of COVID-19 vaccine; and they have all been targeted by threat groups during this global health crisis. Reports have attributed the attacks to Russia-based threat group Strontium and North Korean threat actors Zinc and Cerium. Some of the methods believed to be part of their tactics are password spray and brute force attacks (by Strontium) to steal login credentials and spear-phishing, fake job offers (by Zinc). In one of the recent examples of phishing attacks, the operators behind Cerium sent spear-phishing emails masquerading as World Health Organization (WHO) officials. 

The Way Out 

Businesses should identify their most important digital assets as well as critical assets that facilitate smooth business operations and product development. This includes identifying critical data, its location, who has access to them, the network on which their mission-critical data resides, what are the attractive propositions for threat actors. Once the critical assets are identified, organizations should segregate and protect their assets. 

They should also allocate budget for a well-rounded security system which covers intrusion detection systems and threat intelligence software. This in turn keeps them updated regarding the status of their assets. With the help of a SaaS-based vulnerability alerting platform such as CloudSEK’s XVigil, your organization is equipped to protect their data, brand, and internet exposed infrastructure, against imminent cyber threats and breaches.

The Upsurge of Digital Fingerprints in Underground Marketplaces

 

Digital fingerprints are unique slices of information related to software and hardware components of each device, in addition to the user’s distinguishable characteristics. Device fingerprinting gathers information about a computer to identify an individual user, regarding it as a digital asset.

A device’s fingerprints include its:

  • IP address (external and local),
  • Screen information (screen resolution, window size),
  • Firmware version,
  • Operating system version,
  • Browser plugins installed,
  • Timezone,
  • Device ID,
  • Battery information,
  • Audio system fingerprint,
  • GPU info,
  • WebRTC IPs,
  • TCP/ IP fingerprint,
  • Passive SSL/ TLS analysis,
  • Cookies, and many more.

Digital fingerprints also include the following attributes of individual users; their social network accounts (third-party cookie tracking) and various aspects of his/ her behavior:

  • Time spent on e-commerce websites
  • Website click locations
  • Items of interest, the typical amount of money spent on such items, virtual or real merchandise, etc.
  • Mouse/ touchscreen behavior
  • System configuration changes

 

Underground marketplace tout digital identities

SIRUS Shop is an online cybercriminal, private marketplace that trades stolen digital fingerprints. This new Russian underground marketplace – SIRIUS Shop Online – sells tens of thousands of compromised digital fingerprints, enabling threat actors to commit online fraud. At the moment it offers more than 20k+ stolen profiles. These profiles include browser fingerprints, website user logins and passwords, cookies, and credit card information. The price of these profiles varies from $1 – $27 – it hugely depends on the value of the information in the profile. SIRIUS has been active since June 2020 and also helps sellers to set up their own shop on the market. They advertise the availability of these digital fingerprints on one of their underground carding forums. 

 

SIRIUS Shop sells :

  • Credit card details
  • Dumps
  • SSN
  • Scan ID, DL
  • Logs bot full dump
  • SHELL
  • CRM Panel
  • CMS Panel
  • Emails and password databases

 

SIRIUS Home page digital fingerprints
SIRIUS Home page

 

Bot Profile Dumps

The operators of SIRIUS Shop deliver malware to steal digital fingerprints from user devices and other information such as user account credentials, browser cookies from online payment portals, stores and even bank accounts. Such digital assets are then sold on the underground forum. 

Users who have been infected with malware in the past or have installed rogue browser extensions, have unknowingly had their account passwords and full browser details recorded, and then sent to SIRIUS operators. In some cases they also acquire information via web injects, form grabbers, and passwords saved in browsers. The operators scour for more of such data and updates related to the data, which is then pushed to their online underground store.

Each user profile includes login credentials for their accounts on online payment portals, e-banking services, file-sharing, or social networking services. It also comprises the cookies associated with those accounts, browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, and other browser and PC details.

The user profiles are then imported into the SIRIUS Shope, where it’s indexed; cybercriminals then perform an easy search by parameter, to find the types of profiles they’re interested in. 

 

SIRIUS Store page
SIRIUS Store page

SIRIUS Store has a configurable search panel that allows threat actors to track down specific user fingerprints. One can search for credentials from a particular website, the victim’s country, operating system, the date the profile first appeared at the market.

 

SIRIUS Search Panel
SIRIUS Search Panel

These logs provide leeway to threat actors and make credit-card frauds easier. The marketplace sells digital identities along with stolen credentials to online shops and payment services that were exposed previously. Anyone who gets hold of such digital assets, launches them through a browser and proxy connection to masquerade as a real user and commits fraud undetected. By doing so, the attacker can then access the victim’s online accounts or make new, trusted transactions in their name. Their social media accounts are also susceptible.

 

Preventive Measures

For website owners

  • Install an SSL Certificate

Data is transferred constantly between the user’s browser and your web server. Without an SSL certificate, this data (cookies) is sent in clear-text format. Thereby allowing a hacker to intercept the plain text easily. Thus, login credentials and other sensitive information in the data is left exposed. 

SSL (Secure Sockets Layer) encrypts the data before it’s transferred. So even if a hacker manages to steal it, they won’t be able to read the data. You can get an SSL certificate through your web hosting company or from an SSL provider. You can also get a basic free SSL certificate from Let’s Encrypt.

  • Install a Security Plugin

A security plugin’s firewall generally prevents attempts to hack your website and blocks malicious IP addresses. Also, it scans your site regularly and alerts you if hackers try to enter malicious code, in which case you can clean up your website instantly. This will help you detect and delete such attempts before they can cause any harm.

  • Update Your Website

Update your website regularly including the installation, themes, and plugins. Outdated software can create vulnerable spots on a website which in turn lures in hackers. Check for latest updates by the vendor. These updates carry new features, address bugs in the website and also fix security flaws from time to time.

 

For website visitors

  • Install an Effective Anti-virus

Ensure the device you’re using to access the internet has anti-malware software installed. It detects and alerts you of any malware found on malicious sites. It also removes any malware that you might accidentally download or install on your system.

  • Never Click on Suspicious Links

Avoid clicking on suspicious links and be especially cautious of the ones that advertises attractive offers or discounts.

  • Avoid Storing Sensitive Data

For a quick and convenient check-out, users tend to store their payment details (such as credit card information) on shopping websites. Some even choose to save passwords on web browsers to auto log into websites. But these convenient options come at a great cost. Never store sensitive data on websites or browsers. 

  • Clear Cookies

Remember to clear cookies regularly to get rid of any sensitive information stored on browsers. 

 

Conclusion

Online marketplaces that trade databases and dumps are quite ubiquitous and as authorities fail to keep up with such sites, more and more users have their identities stolen and sold on such sites. Since most victims fall prey to such malicious attempts due to their presence on the internet, website owners should take steps to ensure safe and secure experience on their sites. Enabling extra layers of security such as the two-factor authentication system is one way of going about it. They can also consider an additional biometric authentication method.