Pharmaceutical companies are hitting news headlines over recent years, as threat actors have shifted their focus to this wealthy market.
70% of pharmaceutical companies have exposed RDPs, while RDPs were the primary attack vector used in 47% of ransomware attacks in recent years.
This, for example, is one of the various exposures Reposify’s research team uncovered while trying to examine why the pharmaceutical industry is so lucrative for attackers. The report is based on data from a 2 weeks period in March 2021, analyzing the security posture of 18 top leading pharmaceutical organizations worldwide.
A dramatic rise in cyberattacks often indicates a distributed network infrastructure with many weak spots. And also it suggests a fruitful industry with sensitive data and massive resources, something worth the hackers’ time. In this case, it’s both.
Why Are Pharmaceutical Companies The First To Be Targeted By Attackers?
1. The Acceleration of Digitization-
Over the last decade, as the pharmaceutical industry embraced digital transformation, vast amounts of personal data, intellectual property, and drug formulas have been collected and stored in the cloud.
2. Vaccine Development-
The outbreak of Covid-19 pushed governments to dedicate worldwide resources to vaccine development. Malicious actors, driven by espionage and financial motivations, quickly recognized the potential.
Pharmaceutical Companies’ Digital Footprint Has Expanded.
With the pandemic causing a rush to scale and digitize, pharmaceutical companies’ digital footprint has expanded, creating many new blind spots where attackers could and easily break in to access confidential, susceptible data.
The 4 Most Vulnerable Attack Surface Exposures in the Pharmaceutical Industry
1. M&A Transactions Impact The External Attack Surface of the Acquiring Company
In 2020, hundreds of M&A transactions took place in the pharmaceutical and life science market. In addition to gaining coveted intellectual property, pharmaceutical companies also unknowingly inherited the cybersecurity risks of their newly acquired subsidiaries.
Our research team analyzed twenty M&A deals that took place over 2020 and inspected the impact of the acquisitions on the security posture of their new parent companies. This uncovered that 70% of the M&A deals examined had a negative impact on the acquirer’s security posture.
Acquisition targets are typically smaller companies that are focused on fast innovation and agility. Such companies often tend to place less emphasis on cybersecurity protocols in their quest for growth. This results in CIOs Inheriting Inventory they know nothing about it.
2. Exposed Remote Access Services
The outbreak of COVID-19 forced a transition into work from home, resulting in a massive increase in usage of remote access services during 2020 and 2021. Among all the remote access services discovered, OpenSSH and RDP were the most commonly seen.
Although OpenSSH services are designed to be exposed to the internet, we did, however, find that 45% of the exposed SSH services had known vulnerabilities but were not updated.
Unlike OpenSSH services, RDPs are not supposed to be visible from the outside-in. However, we found that 77% of companies had exposed RDP services.
Moreover, out of the exposed RDPs found, 27% are associated with a very old version, so old that NLAs were not used to authenticate.
RDP services should always be placed behind a VPN for maximum security efficiency.
According to data collected by Kroll, RDPs were the primary attack vector used in 47% of ransomware attacks in recent years.
Exposed SMBs were found in almost half of the companies we analyzed which is very alarming. SMB was exploited as an attack vector in some of the world’s most infamous cyberattacks such as WannaCry and NotPetya. Read more about it in the full report.
3. Uptached Critical CVEs From Over 10 Years Ago
We analyzed the prevalence of unpatched CVEs with critical severity (CVSS 8 and above) among the pharmaceutical companies we examined. This is what we found:
- 70% of the pharma companies had unpatched CVEs that were released in 2019.
- All of the companies we analyzed had unpatched CVEs that were at least 3-6 years old.
- Over 80% of the companies had unpatched CVEs that were released between 2010-2014.
Unpatched CVEs are another favorite attack vector for hackers. Leaving an unpatched service can have severe implications for the company.
3 Reasons Why Companies Are Delaying The Patching Process:
1. The complexity of updating service in a managed IT environment can lead to a long testing period to make sure the new version works seamlessly with all other applications and services in the organization. This may sound straightforward, but in reality, it rarely goes without impacting the availability or usability of company services.
2. These old unpatched vulnerabilities may point to a Shadow IT issue resulting in a lack of management and patching cadence of legacy and other forgotten systems.
3. Even companies with strict and efficient IT & security policies might acquire or merge with another company and inherit their security vulnerabilities, impacting the merge companies’ security posture.
4. The Unofficial Network Perimeter Predominant Companies’ IT Infrastructure.
We saw that 69% of exposed services among the pharmaceutical companies examined were part of their unofficial network perimeter.
The Difference Between The Official and Unofficial Network Perimeter.
The “official network perimeter” includes Assets with ofﬁcially registered public IP addresses and registered domains. In most cases, these assets are known to the IT and security teams and are actively managed.
We might find exposed assets that teams are aware of in the official perimeter, such as web assets. Still, we can also find unknown exposures such as unpatched VPNs or abandoned subdomains.
Beyond the known network ranges, almost every company has unregistered public IP addresses, often not managed by their IT and security teams and are less likely to be known. These assets are usually in the realm of Shadow IT and are considered unknown risks.
For example, unsanctioned cloud services or dev environments spun up by developers or even a mini-website that the marketing team has created behind the scenes. This is what we call the “unofficial perimeter,” where most of the risks and dangers lurk.
Reposify analyzed the distribution of the exposed services of pharmaceutical companies across the network perimeter to assess the likelihood of the companies’ awareness of the various exposures.
Such exposures found in our recent report can expose the company to anything from the risk of a ransomware attack to data leaks and breaches that can result in theft of intellectual properties, leading to dramatically damaging the business continuity and its reputation.
Based on the findings of this report, we gathered the recommendations every security team should follow.
5 Best Practices For Pharma Security Teams
- Ensure your RDP services are always protected behind a VPN & enable Network Level Authentication (NLA).
- Activate a Multi-Factor Authentication solution for all of your active accounts, through all channels.
- Keep track of your vulnerabilities and patch them on time.
- In case of M&A transactions in your organizations, make sure to hold cyber due diligence on acquisition targets, to prevent the possibility of inheriting unknown security exposures to your IT network.
- Continuously monitor your external attack surface for any new exposures, to properly manage them. Make sure no asset is left unknown.
To learn more about our recent study, download the full report today.
If you’d like to learn more about how Reposify can help your organization protect its external attack surface please set a demo and our cyber experts will be happy to provide you with a confidential view of your exposed assets.