Cybercriminals and threat actors are using targeted Emotet attacks to take advantage of the pharmaceutical industry’s newly scattered supply chain and increasingly mobile workforce
19 May 2020 – Barcelona, Spain – Blueliv, a leading European enterprise-class cyberthreat intelligence company, today announced its new report, ‘Sounding the Pharma Alarma’, to provide an overview of the current pharmaceutical threat landscape. The new report highlights the threat actors targeting the industry and the specific tools they are utilising as they look to capitalise on an industry that is working to combat Covid-19, yet finds its security vulnerable in its wake.
Not only are pharmaceutical organizations faced with the challenge of remote working, they are currently working to combat the spread of Covid-19 by racing to create the first vaccine to the novel virus. Cybercriminals are capitalizing on this chaos by stealing research and IP, and distributing ransomware to freeze organizations out of their own research. Blueliv’s latest report provides invaluable insights into the threat actors in question, the tools most commonly used, and how to mitigate against these risks as it takes a look not only at the current Coronavirus crisis, but the wider state of pharmaceutical industry’s security.
The re-emergence of Emotet, and other prevalent hacking tools
A malware that uses stolen credentials to send malicious emails containing attachments and links that allow further spread of malware such as Dridex and Trickbot, Emotet is often the first step before a larger ransomware incident takes place. Using Threat Intelligence, Blueliv is able to monitor Emotet activity and detect the specific victim being targeted. Detailed in this latest report, Blueliv analysts have identified Emotet carrying out malicious attacks against pharmaceutical companies. The report looks to not only establish and inform the pharmaceutical industry on the dangers of Emotet campaigns but provide them insights and tools to detect and remediate such activities.
Other hacking tools and malware used by attackers of varying sophistication during the covid-19 outbreak are also outlined in the new report, including:
PlugX: a remote access tool (RAT) that can permit full control of an infected computer thanks to different plugins, making PlugX more advanced than the average RAT. The malware is usually distributed via spearphishing and is commonly used by Chinese advanced attackers such as APT10 or APT41, against the pharmaceutical industry.
Mimikatz: a post-exploitation tool used to extract plaintext and hashed passwords, PIN codes, and Kerberos tickets from memory. The tool can also perform pass-the-hash, pass-the-ticket or build Golden tickets and it is popular among pentesters and red teams to help them test the security of systems. However, it is also popular among cybercriminals and it is commonly used to dump credentials after an intrusion is made in order to gain access to other systems and services or to elevate privileges.
Meterpreter: a well-known and advanced payload that is included in the Metasploit Framework and provides an easy way to control a compromised machine. This public post-exploitation tool is used to provide complex and advanced features after a machine has been compromised, including dumping credentials, keylogging, screen/video recording, and allowing persistence.
Cobalt Strike and PowerShell Empire: post-exploitation frameworks built to facilitate the control of the victim’s systems by the adversaries. These tools are used legitimately by red teams to perform their assessments, but threat actors also use them extensively to move laterally after an intrusion. Cybercriminals groups like the Dridex Gang or Trickbot Group favour these frameworks.
AgentTesla: a type of malware known as infostealer which steals information from the infected machine, including all types of credentials, payment card information, and files. Agent Tesla has recently been used to target healthcare and pharmaceutical industries as part of a COVID-19-themed phishing campaign.
The threat actors leading the charge against the pharmaceutical industry
This Chinese state-backed group, and financially-motivated criminal enterprise, runs highly sophisticated attacks, often employing compromised digital certificates and deploying bootkits and rootkits. During Q1 2020, APT41 exploited critical vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine in order to target strategic organizations in a wide range of industries, including healthcare, pharmaceutical, manufacturing, and high technology in at least twenty countries.
Another Chinese threat group, APT18 has targeted a range of industries, including technology, healthcare, manufacturing, government, and human rights groups. Since at least 2013, APT18 has targeted biotech and pharmaceutical organizations, as well as organizations by implanting a backdoor in order to stay under the radar while stealing information related to intellectual property (IP), personally identifiable information (PII), and protected health information (PHI), and medical imaging equipment files. It is widely believed that this threat actor orchestrated the 2014 attack exploiting the OpenSSL vulnerability ‘Heartbleed’ that resulted in the loss of 4.5 million hospital patient records from the US-based Community Health Systems.
APT10’s first known activity dates back to 2006 when it targeted the pharmaceutical industry, along with others, via a massive surveillance campaign, again likely done on behalf of the Chinese government. Despite two of its members being indicted in the US in 2018, the group remains active and still looks to target the healthcare, finance, telecommunications, manufacturing and biotechnology sectors.
This group steals vital data and publishes it when victims refuse to pay ransom. Despite taking a moral stance not to attack hospitals, orphanages, nursing homes, and charitable foundations, this group has no reservations about attacking the pharmaceutical industry, which it sees as the only entities benefiting from the current pandemic. In March 2020, ExecuPharm, a company that provides clinical research support services for the pharmaceutical industry, was hit by TA505, which stole and leaked nearly 19,000 emails and 163GB of sensitive financial and personnel documents.
Silence, closely tied to or an extension of TA505, is the group known for stealing approximately $4.2 million USD from financial institutions. In January 2020, researchers reported that Silence switched its targeting and attacked at least two European pharmaceutical and manufacturing companies.
The Dridex Gang and Trickbot Group
These groups are infamous for operating the Dridex and Trickbot Trojans. Initially targeting banking, in recent years these groups have targeted any company with a device previously infected by one of the aforementioned Trojans. Once in, they are able to incorporate other malicious tools to deploy ransomware, such as BitPaymer and Ryuk, and block critical systems. Both use different techniques to obtain the first infections in the targeted organizations but they both use the malware distribution services provided by the Emotet spambot.
The intelligence outlined in this latest report is part of Blueliv’s ongoing effort to share practical guidance, helping security teams of all sizes access relevant information, implement its value and improve their security posture. Socializing cybersecurity means encouraging parity and fighting cybercrime collaboratively and more effectively.
The Sound the Pharma Alarma report on the pharmaceutical threat landscape is available to download from the following link: https://bit.ly/36eI3Wn