Report Finds Serious Flaws in COVID-19 Vaccine Developers' Systems

An examination by BitSight into 17 biomedical, healthcare, pharmaceutical, and other academic research facilities publicly known to be working on the development of a COVID-19 vaccine, found these entities are operating with serious security issues and vulnerabilities. 

While the flaws discovered by BitSight are not abnormal when compared to groups of other large companies, BitSight stressed that there is cause for alarm given the heightened threat environment. 

The report comes on the heels of an alert from federal security agencies from the UK, US, and Canada that showed Russian hackers were targeting COVID-19 researchers working on the development of a vaccine with tailored cyberattacks designed to steal valuable data. 

According to the advisory, the Russian-based APT29 hacking group is actively conducting basic vulnerability scanning against specific external IP addresses of COVID-19 research facilities to then deploy public exploits against identified vulnerable services. 

The latest attacks are par for the course for the healthcare sector amid the crisis. From the outset, hackers increased targeted attacks against manufacturers working on coronavirus research. The World Health Organization and several other research firms reported a spate of attacks against the enterprise. 

While the threat actors were unsuccessful in their attempts against WHO, Maze ransomware hackers posted data allegedly stolen from the UK-based Hammersmith Medicines Research, in March. While in May, the Department of Homeland Security warned Chinese hackers were targeting COVID-19 research facilities to steal coronavirus research. 

In light of these threats, BitSight sought to understand the cybersecurity posture of the leading COVID-19 vaccine companies. Five of the analyzed companies have more than 100,00 employees, four entities have between 10,000 and 100,000, four firms have between 1,000 and 2,000 employees, and four have 200 or fewer. 

BitSight determined these companies had serious security flaws in four key areas: compromised systems, open ports, vulnerabilities, and web application security. Most notably, a “significant fraction” of these entities had a system compromise within the last six months and the last year. 

Eight companies faced a botnet within the last year, seven of which occurred in the past six months. Nine of companies were potentially exploited, eight of which happened in the first half of 2020. Five research entities’ systems were sending spam in the last year, three of which occurred in the last six months. 

And three companies were found behaving in an abnormal way, such as unsolicited communications, all of which occurred in the last six months. 

“The presence of compromised systems is evidence of security controls failing to prevent malicious or unwanted software from running within an organization,” researchers explained. “This suggests that there are control failures that could potentially be exploited by adversaries seeking access.” 

Potentially one of the most concerning aspects of the report is that 14 out of the 17 assessed research entities have systems exposed to the internet with known vulnerabilities. Ten of these companies have more than 10 active vulnerabilities on their systems. Six of these entities have very serious vulnerabilities ranked at 9.0 or higher. 

BitSight also found many of these companies had left a number of ports exposed to the internet. The largest vulnerability in this category was the Microsoft Remote Desktop Protocol (RDP), with seven assessed companies found exposing this port. 

It’s notable as Microsoft has issued several patches, including those for legacy systems in the last few years designed to address several critical vulnerabilities. One vulnerability, CVE-2019-0708, bears hallmarks to the global 2017 WannaCry attack. 

And amid COVID-19, hackers have ramped up brute-force attempts on the RDP given the spike in remote work and telehealth. 

Seven companies also left the Lightweight Directory Access Protocol (LDAP) server exposed, which is a standard application protocol for accessing and maintaining then distributed directory information services over an internet protocol network. 

Telnet was the second-most exposed with five companies, followed by the SMB port. Cybercriminals have notoriously targeted healthcare SMB ports in recent years. In particular, SamSam threat actors were behind some of the biggest healthcare data breaches in 2018. 

“Generally, these types of services should either never be used or never exposed outside of a company’s firewall,” researchers explained. “For example, Telnet is a service which allows users to access another computer using an unencrypted connection. Database technologies such as MySQL should always be behind a company’s firewall.” 

“Exposing these services allows an attacker to identify potential access points into a company’s network,” they added. “None of the services listed above should be exposed outside of a company’s firewall... “More ominously, ransomware operators are probing exposed RDP devices to try to infect corporate networks. 

Lastly, BitSight found web application security issues in a majority of these companies. Most commonly, 15 assessed organizations leveraged insecure redirects from HTTPS (secure) to HTTP (insecure), as well as insecure authentication and mixed secure and insecure content on the same web page.  

“In light of these risks, the bioscience community must step up its cyber vigilance,” researchers wrote. “It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials.” 

“Hackers will continue to meddle with these efforts, placing pressure on already stretched security leaders to go beyond conventional detect and respond approaches to cyber threats,” they added. “Instead, they must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure across the extended attack surface and third-party ecosystem.”