COVID vaccine trials

Grappling with COVID-Themed Cyber Attacks: Pharmaceutical Sector

 

The pharmaceutical industry has been in the crosshairs of cyber attacks, more frequently than ever, in the last few years. The industry appeals to cybercrooks, who are motivated by financial gains, as they generate and manage some of the most sensitive data. State-sponsored actors, with the support of governments and with the intention of settling scores with other countries, target their healthcare industries. In the event of a full-scale cyberattack, the pharmaceutical sector could incur huge losses, both financially and in terms of its invaluable data. The data, which includes Intellectual Property (IP) of patients, is then invariably sold on the dark web or held “hostage” for ransom. 

As a result, the affected organization sustains:

  • Legal penalties, 
  • Fines, 
  • Damage to business, brand reputation,
  • Lack of confidence in customers,
  • Declining revenue,
  • Network, utility outages,
  • Risk of supply chain disruption.

Recent COVID- Themed Cyber Attacks Based on the Region

India and APAC

Indian pharmaceutical giant Lupin confirmed a security incident that impacted its IT systems in November 2020 after a similar ransomware attack targeted Dr. Reddy’s Laboratories. The recent surge in cyber attacks in the Indian pharmaceutical sector is also because they are in the process of delivering affordable medicine on a large scale, owing to COVID-19. 

Interestingly enough, the ransomware attack that hit Dr. Reddy’s was soon after the company had received DCGI’s (Drug Control General of India) approval to conduct clinical trials of the Russian Sputnik-V vaccine. The personal information of individuals who participate in clinical trials are also at a risk of data exposure. Such attacks aim to derail the race towards a successful vaccine in India as well as other countries. The surge in cyber attacks against pharmaceutical companies in the APAC (Asia-Pacific) region has cost the industry close to $23 Million. 

Europe

From a global perspective as well, cyber crimes are increasingly targeting pharmaceutical companies. Recently, several European pharmaceuticals such as Swiss giant Roche, were attacked by a hacking group dubbed Blackfly. The activities of this group was traced back to China and it points to the conclusion that these attacks were state-sponsored. Blackfly, also known as the Winnti Group, deploys Winnti malware in all of their attacks, a malware known for its supply chain attacks. European manufacturers BASF and Henkel were also victims of the same ransomware group. 

Moreover, drug regulators like EMA (European Medicines Agency) have also not been spared from cyber attacks. The EU Drug regulator EMA confirmed that it was hit by a cyber attack and that the actors managed to access documents related to a COVID-19 vaccine. German biotechnology company BioNTech is in the process of developing a vaccine to treat COVID-19 along with strategic partner Pfizer. The duo suffered a cyber attack earlier this month and confirmed that its regulatory submission was accessed. 

Although EMA didn’t agree to the nature of the attack, it stated that few documents related to the regulatory submission by Pfizer and BioNtech vaccine candidates, stored on the EMA server, have been viewed. The timing of these attacks was impeccable, as EMA was working on getting the approval for 2 COVID-19 vaccines and it could have had devastating effects on the entire process. 

America 

The US drug regulatory authority FDA (Food and Drug Administration), however, outsmarted threat actors looking to steal data from them and had COVID-19 related sensitive documents delivered to them physically through FBI agents. 

Experts across the globe have traced most COVID-related attacks on pharmaceuticals back to China, North Korea, and Russia. And although the victims of these attacks have not been named, we can confirm that at least some of these companies were infiltrated successfully. 

Countries like India, UK, US, Canada, France and South Korea are all at different stages of clinical trials and development of COVID-19 vaccine; and they have all been targeted by threat groups during this global health crisis. Reports have attributed the attacks to Russia-based threat group Strontium and North Korean threat actors Zinc and Cerium. Some of the methods believed to be part of their tactics are password spray and brute force attacks (by Strontium) to steal login credentials and spear-phishing, fake job offers (by Zinc). In one of the recent examples of phishing attacks, the operators behind Cerium sent spear-phishing emails masquerading as World Health Organization (WHO) officials. 

The Way Out 

Businesses should identify their most important digital assets as well as critical assets that facilitate smooth business operations and product development. This includes identifying critical data, its location, who has access to them, the network on which their mission-critical data resides, what are the attractive propositions for threat actors. Once the critical assets are identified, organizations should segregate and protect their assets. 

They should also allocate budget for a well-rounded security system which covers intrusion detection systems and threat intelligence software. This in turn keeps them updated regarding the status of their assets. With the help of a SaaS-based vulnerability alerting platform such as CloudSEK’s XVigil, your organization is equipped to protect their data, brand, and internet exposed infrastructure, against imminent cyber threats and breaches.

Browser extensions

How Browser Extensions can Exploit User Activities for Malicious Operations

 

What are browser extensions?

Browser extensions are mini-applications that add more features and functionalities to the browser. Some of the most common extensions are ad blockers, password managers, grammar check extensions, screenshot creators, and translators. They allow users to integrate their browsers with their preferred services. 

Upon installation, extensions require permissions such as access to read, edit, and alter data on the websites that the user visits. Permissions that allow extensions to read the user’s browsing history or modify the data that the user copies and pastes is a surefire way to enable the extension to monitor all your activities. However, for well-functioning browser extensions users usually grant such permissions or overlook the extension’s default settings.

Browser extensions Permissions

Most browser extensions offer features that interact with the current web page, such as  password managers that fill in passwords for different websites, or dictionary extensions that provide instant definitions for words. For the same reason, users do not concern themselves with permissions. 

Some extensions require broader permissions. For example, the Web Developer extension for Chrome requires the permission to read and change users’ data on the websites they visit and their browsing history, modify the data that users copy and paste, and change user settings that control the website’s access to features such as cookies, Javascript, plugins, geolocation, microphone, camera, etc.

Browser Extensions Web Developer

If an extension is allowed to access all the web pages that the user visits, the user could be opening the door to malicious attacks. It could function as a keylogger and capture sensitive information, insert advertisements, redirect the search traffic to malicious sites, etc. This doesn’t mean that every extension is malicious, but they can surely be dangerous.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that require a connection to the server to retrieve data are more sensitive because cybercriminals may capitalize on this feature; they can hijack the server or the domain name to further their malicious scheme.

Few extensions may display ads:

Browser Extensions Ads
Extensions are part of a long-running ad-fraud and malvertising network. When Chrome’s add-ons were first announced in 2009, initially most extensions focused only on certain areas, but primarily they were used to block ads. However, currently, those same extensions display advertisements.


Is it safe to let your browser manage passwords?

Internet usage has skyrocketed over the last decade, and today an average user spends 6.5 hours online, on a daily basis. Online services such as  email, social media, online stores, and streaming services are the most popular platforms users spend their time on. However, for convenience, most users save their passwords on browsers to enter the password for that site upon login, automatically. Trying to memorize multiple passwords can be tricky. Therefore, more and more browsers ask users whether they would like the browser to save their credentials. If users enable this option, their passwords are saved and synchronised locally and on other devices that the user has used to login.


Your secure extensions can transform into malware  

In some cases, popular browser extensions that are trusted to be secure are sold to shady organizations or even hijacked. Malicious groups who take charge of such extensions set up updates that can turn seemingly harmless extensions into malware. The compromised extensions connect the browser to a command and control architecture, to exfiltrate sensitive data of unaware users, and expose them to further risks.

 

Underground marketplaces that sell fingerprints

The unauthorized data collected may include sensitive information like login credentials to the user’s online payment portal accounts, e-banking services, file-sharing or social networking websites. It may also steal cookies associated with these accounts, browser user-agent details, and other browser and PC details.

Cybercriminals, very recently, realized the value of unique fingerprints of users, where these digital identities are being sold on underground marketplaces such as the Genesis Store and Russian Market.

Genesis Store operators have developed a .crx plugin for Chromium- based browsers to make it easier to use stolen identities, in any way they want. The plugin installs stolen digital profiles into the cybercriminal’s browser, allowing the actor to activate a doppelgänger of the victim. Then, the attacker only needs to connect to a proxy server with an IP address from the victim’s location to bypass the anti-fraud system’s verification mechanisms, pretending to be a legitimate user.

A snapshot of available Genesis bots:

Genesis Bots


Conclusion

  • Fewer the extensions on your browser, the better. Do not install extensions that raise even the slightest suspicion in your mind. Fewer extensions would only help your browser to be faster. Extensions not only affect your computer’s performance but it can also be a potential attack vector. 
  • Install extensions only from official Web stores. The extensions available in such stores undergo security tests, with security specialists filtering out those that are malicious from head to toe. Even though this does not guarantee safe browsing experience, they are better than the extensions from external sources. 
  • Observe the permissions that extensions require. If an extension that is already installed on your computer requests a new permission, it could be a red flag. There is always the possibility that the extension might’ve been hijacked or sold.
  • Before installing any extension, it’s always a good idea to go through the permissions they require and make sure that they are appropriate for the functionality offered by the extension. If the permissions requested do not seem logical in correspondence to the extension’s functions, it’s probably better not to install that extension at all.

The Upsurge of Digital Fingerprints in Underground Marketplaces

 

Digital fingerprints are unique slices of information related to software and hardware components of each device, in addition to the user’s distinguishable characteristics. Device fingerprinting gathers information about a computer to identify an individual user, regarding it as a digital asset.

A device’s fingerprints include its:

  • IP address (external and local),
  • Screen information (screen resolution, window size),
  • Firmware version,
  • Operating system version,
  • Browser plugins installed,
  • Timezone,
  • Device ID,
  • Battery information,
  • Audio system fingerprint,
  • GPU info,
  • WebRTC IPs,
  • TCP/ IP fingerprint,
  • Passive SSL/ TLS analysis,
  • Cookies, and many more.

Digital fingerprints also include the following attributes of individual users; their social network accounts (third-party cookie tracking) and various aspects of his/ her behavior:

  • Time spent on e-commerce websites
  • Website click locations
  • Items of interest, the typical amount of money spent on such items, virtual or real merchandise, etc.
  • Mouse/ touchscreen behavior
  • System configuration changes

 

Underground marketplace tout digital identities

SIRUS Shop is an online cybercriminal, private marketplace that trades stolen digital fingerprints. This new Russian underground marketplace – SIRIUS Shop Online – sells tens of thousands of compromised digital fingerprints, enabling threat actors to commit online fraud. At the moment it offers more than 20k+ stolen profiles. These profiles include browser fingerprints, website user logins and passwords, cookies, and credit card information. The price of these profiles varies from $1 – $27 – it hugely depends on the value of the information in the profile. SIRIUS has been active since June 2020 and also helps sellers to set up their own shop on the market. They advertise the availability of these digital fingerprints on one of their underground carding forums. 

 

SIRIUS Shop sells :

  • Credit card details
  • Dumps
  • SSN
  • Scan ID, DL
  • Logs bot full dump
  • SHELL
  • CRM Panel
  • CMS Panel
  • Emails and password databases

 

SIRIUS Home page digital fingerprints
SIRIUS Home page

 

Bot Profile Dumps

The operators of SIRIUS Shop deliver malware to steal digital fingerprints from user devices and other information such as user account credentials, browser cookies from online payment portals, stores and even bank accounts. Such digital assets are then sold on the underground forum. 

Users who have been infected with malware in the past or have installed rogue browser extensions, have unknowingly had their account passwords and full browser details recorded, and then sent to SIRIUS operators. In some cases they also acquire information via web injects, form grabbers, and passwords saved in browsers. The operators scour for more of such data and updates related to the data, which is then pushed to their online underground store.

Each user profile includes login credentials for their accounts on online payment portals, e-banking services, file-sharing, or social networking services. It also comprises the cookies associated with those accounts, browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, and other browser and PC details.

The user profiles are then imported into the SIRIUS Shope, where it’s indexed; cybercriminals then perform an easy search by parameter, to find the types of profiles they’re interested in. 

 

SIRIUS Store page
SIRIUS Store page

SIRIUS Store has a configurable search panel that allows threat actors to track down specific user fingerprints. One can search for credentials from a particular website, the victim’s country, operating system, the date the profile first appeared at the market.

 

SIRIUS Search Panel
SIRIUS Search Panel

These logs provide leeway to threat actors and make credit-card frauds easier. The marketplace sells digital identities along with stolen credentials to online shops and payment services that were exposed previously. Anyone who gets hold of such digital assets, launches them through a browser and proxy connection to masquerade as a real user and commits fraud undetected. By doing so, the attacker can then access the victim’s online accounts or make new, trusted transactions in their name. Their social media accounts are also susceptible.

 

Preventive Measures

For website owners

  • Install an SSL Certificate

Data is transferred constantly between the user’s browser and your web server. Without an SSL certificate, this data (cookies) is sent in clear-text format. Thereby allowing a hacker to intercept the plain text easily. Thus, login credentials and other sensitive information in the data is left exposed. 

SSL (Secure Sockets Layer) encrypts the data before it’s transferred. So even if a hacker manages to steal it, they won’t be able to read the data. You can get an SSL certificate through your web hosting company or from an SSL provider. You can also get a basic free SSL certificate from Let’s Encrypt.

  • Install a Security Plugin

A security plugin’s firewall generally prevents attempts to hack your website and blocks malicious IP addresses. Also, it scans your site regularly and alerts you if hackers try to enter malicious code, in which case you can clean up your website instantly. This will help you detect and delete such attempts before they can cause any harm.

  • Update Your Website

Update your website regularly including the installation, themes, and plugins. Outdated software can create vulnerable spots on a website which in turn lures in hackers. Check for latest updates by the vendor. These updates carry new features, address bugs in the website and also fix security flaws from time to time.

 

For website visitors

  • Install an Effective Anti-virus

Ensure the device you’re using to access the internet has anti-malware software installed. It detects and alerts you of any malware found on malicious sites. It also removes any malware that you might accidentally download or install on your system.

  • Never Click on Suspicious Links

Avoid clicking on suspicious links and be especially cautious of the ones that advertises attractive offers or discounts.

  • Avoid Storing Sensitive Data

For a quick and convenient check-out, users tend to store their payment details (such as credit card information) on shopping websites. Some even choose to save passwords on web browsers to auto log into websites. But these convenient options come at a great cost. Never store sensitive data on websites or browsers. 

  • Clear Cookies

Remember to clear cookies regularly to get rid of any sensitive information stored on browsers. 

 

Conclusion

Online marketplaces that trade databases and dumps are quite ubiquitous and as authorities fail to keep up with such sites, more and more users have their identities stolen and sold on such sites. Since most victims fall prey to such malicious attempts due to their presence on the internet, website owners should take steps to ensure safe and secure experience on their sites. Enabling extra layers of security such as the two-factor authentication system is one way of going about it. They can also consider an additional biometric authentication method.