As each day passes, so does the increasing amount of security risks with the cybersecurity attack vector. Every organization can easily fall victim to another cyber threat, but recently, the pharmaceutical industry has become a prime target.

The increasing number of attacks on pharmaceutical organizations is due to the ongoing COVID-19 vaccine development and distribution and this has resulted in the pharmaceutical sector becoming the most attractive industry for cybercriminals. A successful vaccine has become one of the most valuable intellectual properties for cyber attackers. Beyond attacking the pharmaceutical formula, its data on testing the drug trials have become a tempting target for nation-state attackers

A recent example of pharmaceutical companies being attacked is when the Wall Street Journal reported that North Korean state attackers have targeted pharmaceutical companies in the U.S., including Johnson & Johnson. This sparked the Chief Information Security Officer at Johnson & Johnson to say in an interview that they are experiencing attacks from nation-state threat actors “every single minute of every single day.”

This tale isn’t new as in late 2010 North Korean threat actors reportedly targeted UK-based vaccine maker AstraZeneca whose vaccine was co-developed with the University of Oxford. The attack method was spear phishing via social media intending to inject malware by way of offering AstraZeneca employees fake job offers.

The attack surface of pharmaceutical organizations will only continue to grow and the need for better cybersecurity will become more of a priority as more pharma companies will fall victim which could result in disastrous consequences.

Pharma A Prime Cyber Attack Target

The pharma industry is no stranger to being targeted by attackers. Pharmaceutical companies suffer more breaches than any other industry as a result of malicious activity with an average breach resulting in a loss of over 5 million dollars according to the 2020 Cost of a Data Breach Report. Nation-state attackers are induced to target pharmaceutical firms for financial profit, which was one of the main goals for the cybercriminal group who launched the reportedly North Korean government-sponsored attacks.

Cyber espionage is now being recognized as another influential reason for state-sponsored attackers attempting to gain technological advantage for their countries’ economies. The pharmaceutical industry’s key components are based on innovation with comprehensive R&D investments, intellectual property, and patented data. Anytime any data or property is affected or exploited by an attack it can result in devastating losses which can erode patient and consumer trust.

The 2019 attack on German drug conglomerate Bayer is an example of cyber espionage by a state-sponsored attack. Bayer fell victim to a cyberattack from the Chinese threat actor group known as Wicked Panda. The attackers used the Winnti malware, which makes it possible to access a system remotely and then pursue further exploits once in the system.

Pharmaceutical Intellectual Property Attacker’s Favorite Target

Sensitive information and data are not the only attractive targets of pharma companies that hackers are looking to exploit and gain access to. Nation-state hackers have their eyes on a different prize, intellectual property. Protecting intellectual property has always been a priority for the pharmaceutical industry.

Pharmaceutical products are typically only protected by patent for seven years in the United States, and this data could help foreign generic drug manufacturers to be more ready for the expiration of the patent. For example, Chinese nation-state hackers are targeting US pharmaceutical companies to gather information and share it with Chinese companies to offer an advantage against their western competitors.

The years of research and development into developing new pharmaceuticals have attracted hackers to exploit intellectual property somewhat enticing. Recent attacks have targeted intellectual property such as information related to the development of a vaccine or other medical mitigation measures.

Another risk that many pharmaceutical companies experience is that the technology used in their manufacturing systems is much older than the internet, which results in systems being extremely insecure. They were originally designed as ‘air-gapped’, or isolated systems and not built to confront any cybersecurity attacks. For pharmaceutical companies, any size attack by an adversary can result in loss of productivity and availability of physical devices. This can lead to safety issues, reputation, financial losses, and even death.

To fight off different attacks, and the possible exploitation of vulnerabilities, organizations and more specifically enterprises need to address the need to secure the crucial intellectual property while understanding which devices and technologies are at risk. This starts with increasing awareness of nation-state attacks and adopting a more proactive approach to cybersecurity.

What Pharmaceutical Firms Can Do

Pharmaceutical firms need to allocate the right amount of attention and resources to understand what they can do to protect the company’s data and system. The first step is understanding the different risks that come with pharmaceutical manufacturers and systems and what steps are needed to ensure better security.

With the increased attention and awareness of state-sponsored attacks over the past few years, pharmaceutical companies now are understanding the importance of implementing the right security practices when it comes to securing their IT and OT systems. As pharmaceutical manufacturers move forward digitally and continue to modernize their processes with more robotics and IoT technologies, this creates new entry points for attackers to exploit and move laterally within an organization’s system and servers.

In the past, most manufacturers were using stand-alone systems, but with the advancement of technology, they are increasing their connections to the internet to allow third-party contractors and vendors to gain access to work with their equipment. This has forced the security teams at pharmaceutical companies to change their approach to securing their product.

While not every pharmaceutical company has changed its security approach, there has been a massive increase in awareness which has led to changes in the industry. Some companies, like Taro and Rafa, have taken a more proactive approach when securing their connected OT environments with a passive network monitoring solution, specifically designed for OT environments. This has allowed them to have full visibility into their network, reduce the risk of operational downtime, improve their network security and comply with demanding industry regulations.

As pharmaceutical organizations continue to be on the radar for cyberattacks, now is the time to take action and detect and mitigate any risks. Having the right approach and strategy in place with the right blend of awareness and technology, pharmaceutical organizations can now implement the right approach to securing their data, servers, and intellectual property against cyber attacks.

How SCADAfence Discovered Targeted Ransomware In A Pharmaceutical Facility

SCADAfence’s Incident Response team recently assisted a big pharmaceutical company with an industrial cybersecurity emergency. This research has been published with the goal of assist organizations to plan for such events and reduce the impact of targeted industrial ransomware in their networks.

Our Researchers Discover Another Vulnerability 

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

CVE-2020-24685 is a CVSS 8.6 (CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) remote CPU DoS vulnerability in all of ABB’s AC500 V2 products with onboard ethernet are affected by this vulnerability (with latest firmware v2.5.4) that has been discovered by SCADAfence researcher Yossi Reuven.

ABB is one of the world’s leading electronics and electrical equipment manufacturing companies (holding an overall share in the world DCS market of 19.2%), and is in use by many of our customers. 

About The Vulnerability – CVE-2020-24685

AC500 V2 Series is one of ABB’s PLC offerings – designed as a compact entry-level PLCs for small applications. AC500 V2’s communication with Automation Builder (Engineering software package) is done via ABB proprietary wrapper protocol encapsulation of CoDeSys SDE protocol (which works on both TCP and UDP). 

A single specially crafted packet sent by an attacker over the ABB protocol on port 1200 will cause a denial-of-service (DoS) vulnerability. The PLC’s CPU will get into fault mode, causing a hardware failure. The PLC then becomes unresponsive and requires a manual (physical) restart to recover. In addition, the buffer overflow condition may allow remote code execution.

What SCADAfence Recommends Asset Owners To Do

Perform an Industrial Vulnerability Management Process

Please refer to our guide on this topic: https://www.scadafence.com/public-preview-a-comprehensive-guide-to-industrial-device-patching/

Monitor for Unauthorized Network Activity and Exploitation

Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.

Upgrade to the Latest Firmware

ABB has developed a new firmware version 2.8.5 fixing this vulnerability. This firmware version is released for the following affected PLC types:
* PM573-ETH
* PM583-ETH

Currently no firmware update is available to other products in the AC500 V2 line. When ABB makes such a patch available, we recommend asset owners to consider upgrading.

Prevent Unauthorized and Untrusted Access

– Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

– Use within a LAN and block access from untrusted networks and hosts through firewalls.

Special Thanks & Recognition

The SCADAfence Research team would like to thank the ABB team for the collaboration.

SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.

Exploit PoC

We wrote a Python POC (GPLv3) script of the exploit in action.

Currently, there’s no patch available. As a result, we limit the access to the exploit to vetted individuals only. The exploit is only available for educational and legal research purposes.

Warning: The script will crash the PLC’s CPU – do not use it in production.

To get this free python exploit, please send an email to research@scadafence.com, identify yourself and explain how you’re going to use the exploit. We reserve the right to refuse any request.

What a year.

What a year this has been to humanity, an epidemic has fundamentally changed the way we interact with one another, social distancing, lockdowns and restrictions in virtually everything we do. Covid-19 has changed the way we conduct business and shifted the way we secure our businesses.

Adversaries’ activities are at an all-time high, be it nation state actors or financially driven attackers. The ever-changing threat landscape is evolving faster than ever and OT networks and IoT devices are a core target for such malicious activities. Repeated attacks from threat actors sponsored by nation-states, such as the recent SolarWinds attack on Microsoft, FireEye, the US government, and around 18,000 other organizations, have prompted fears not only of significant physical damage and economic disruption but also of the increased possibility of all-out cyber warfare. You could describe the situation as an all-out war, only with no guns involved and not a single bullet shot.

In the midst of all of this, we felt that it is imperative to support the broader community and so with the outbreak of Coronavirus earlier this year, we offered all of our products for free for an initial term. And today, we are honored to protect some of the world’s largest organizations in manufacturing and critical infrastructure. In fact, the Japanese government publicly praised SCADAfence’s efforts to secure multiple Japanese organizations, completely free of charge.

Despite the Covid-19 pandemic and possibly because of the recent spike in attacks, our team at SCADAfence has managed to sustain our exponential growth and the continued scaling of our global footprint with rapid expansion in new markets, such as LATAM and APAC.

This rapid expansion can also be attributed to our technological advancements and innovation. Launching new features based on customers’ real needs, such as our User Activity Tracking, a feature that was built specifically for the new, work from home norm; and the SCADAfence Governance portal, which centrally monitors the adherence to industry standard and regulations.

One of the things we’ve always taken pride in is putting our customer’s needs as our top priority. To that end, SCADAfence has won 11 industry awards in 2020, more than all companies in the OT security industry combined – but that all pales in comparison to having the highest customer satisfaction rating on Gartner’s Peer Insights. Not to mention the feedback we’ve been receiving from our customers, here’s just one example:

 “SCADAfence has well exceeded all of our expectations in both service level and product quality. Their team has been extremely knowledgeable, customer-focused, and timely in all aspects of our interactions.”

Process Controls Engineer at a Fortune 100, O&G company.

There’s no doubt that 2020 has been a challenging year but also a year full of growth, dedication and grit. I’d like to thank our entire team for all their hard work, efforts and creativity. A big thank you to all of our partners and of course, our customers for choosing to work with us, it’s not a given and never will be.

If you’ve made it this far and even if you did not, I’d like wish you a great 2021!

Enjoy the holiday season and stay safe.

Happy new year!

The ’85 Bears of Cyber Physical Security

A few days ago, our elite cybersecurity team of defenders, faced over 50 of the world’s top hackers and security practitioners in the Hack the Building event. 

SCADAfence Researchers Discover A Sensitive Information Leak Vulnerability in Canon Printers As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques. CVE-2020-16849 is a remote information disclosure vulnerability in Canon printers that was discovered by SCADAfence researchers Maayan Fishelov, Dan Haim and Ofer Shaked. The vulnerability allows a remote attacker to leak the address book and administrator password, unauthenticated, over the network. Canon is one of the world’s leaders in cameras, photocopiers, printers and broadcasting equipment. SCADAfence has been working with Canon for the last few months in handling this vulnerability, and on October 1st, Canon published an official security advisory reporting this vulnerability and its mitigations. About The CVE-2020-16849 Vulnerability The vulnerability exists inside the printer’s IP protocol stack, which is used by Canon Laser Printers and Small Office Multifunctional Printers. The potential for a third-party attack exists on the devices when they’re connected to a network that allows fragments of the “Address book” or/and “administrator password” to be acquired through an unsecured network. It should be noted that when HTTPS is used for the communication of Remote UI, data is secured by encryption. To date, there have been no confirmed cases of the vulnerability being exploited to cause harm. However, in order to ensure that Canon’s customers can use their products securely, new firmware will be available for affected Canon products.

What SCADAfence Recommends Vendors To Do

Prevent Unauthorized and Untrusted Access – Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. – Use within a LAN and block access from untrusted networks and hosts through firewalls.   Perform an IoT Vulnerability Management Process Tools such as the SCADAfence IoT Security platform can help you identify vulnerable devices. Monitor for Unauthorized Network Activity and Exploitation Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network. Upgrade to the Latest Firmware Canon issued a new firmware that users are able to upgrade to.   Special Thanks & Recognition The SCADAfence Research team would like to thank the Canon team for a speedy vulnerability reporting process even during the challenging COVID-19 times. SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.   Exploit PoC We wrote a Python POC (GPLv3) script of the exploit in action. The exploit is only available for educational and legal research purposes. Warning: The script might crash the printer – do not use it in production. To get this python exploit, please send an email to research@scadafence.com, identify yourself and explain how you’re going to use the exploit. We reserve the right to refuse any request.

The first Israeli high-tech delegation to the Emirates departed this morning (Sunday), led by Jerusalem Venture Partners Fund and entrepreneur Erel Margalit. Over the next four days, the delegation is set to hold high-level meetings with senior officials as well as innovation and investment counterparts in Dubai and Abu Dhabi, to build cooperation between Israeli and Emirati hi-tech, and deepen the newly found relationship between the two countries.

Erel Margalit, CEO and founder of the Jerusalem Venture Partners (JVP), February 18, 2019. / Hadas Parush/Flash90

On Tuesday, participants will join first of their kind ’round table’ meetings between entrepreneurs from the two countries– both of which are renowned internationally as leaders in the field. Ahead of the visit, the delegation was honored to have received the warm welcome of the UAE Government and was looking forward to the opportunity to meet senior ministers during the visit.

“Hi-tech is the locomotive engine that leads the Israeli economy, so we have a key role in leading relations and cooperation with the Emirates, with an emphasis on partnership,” commented JVP founder and chairman of Margalit Startup City Erel Margalit.

He added, “I am proud to lead the first Israeli hi-tech delegation to the Emirates. Our companies have been in business contact with the Emirates for a number of years, and now an opportunity has arisen to expand this network of relationships, deepen the ties significantly, and allow more and more Israeli companies and entrepreneurs to be part of this connection and success.”

Margalit stressed, “This is not just a business opportunity, but a political opportunity for a new page between the Israeli hi-tech community and the entire Middle East. With us in the delegation, are the CEOs of emerging Israeli hi-tech companies from every field, and I am sure we will create real partnerships here that will contribute to building successful Israeli companies that will propel the Israeli economy forward, precisely during this period, and create more and more new jobs.”

The delegation was invited to the Emirates by the DIFC (Dubai International Financial Center), the body that manages the free trade area in the financial heart of Dubai – which is one of the global financial centers. Members of the delegation will also receive a comprehensive tour of the financial center.

Among the companies participating in the delegation: Earnix, one of the world’s leading companies in insurtech and personalization of insurance and banking, an area with great interest in the Emirates, which is considered a powerhouse in the field of insurance in the Middle East; Up Control, an emerging Israeli company leading a revolution in the management of remote work networks; Morphisec, from Beer Sheva, which is a leader in innovative technology for protecting endpoints in organizations, which is a particularly relevant development for the protection of banks and infrastructure; and Secret Double Octopus, also from Beer Sheva, which provides a leading biometric solution for passwords.

Also of significant interest to the Emirati Government, companies, and investors is the field of foodtech. Among the delegation in the field is InnovoPro, a company that produces a protein substitute from chickpeas with high nutritional values. One of the most interesting companies in the world in the field, it is already a major player in dairy products in some of Europe’s leading chains, with products from ice-cream to mayonnaise. The company is now preparing for a breakthrough in the Middle East. Another company participating in the delegation is Agrint, which has developed technology to identify diseases in trees before they cause damage. One of the most serious infections in the world is the palm bacteria that destroys entire palm groves. Agrint’s solution for this has significant potential for agriculture in the Middle East.

Members of the delegation included: Entrepreneur, and former senior official in the Mossad, David Meidan; Udi Ziv, CEO of Earnix; FrankZvi, CEO of Copilot; Elad Ben-Meir,-CEO of SCADAfence; Dror Liwer – Co-Founder& Chief Security Officer of Coronet; Asaf Ganot, CEO of Control Up; Omri Kohl, CEO of Pyramid Analytics; Gal Rimon, CEO of Centrical; Ronen Yehoshua, CEO of Morphisec; Raz Refaeli, CEO of Secret Double Octopus; Mark Gazit, CEO of Thetaray; Yaron Ravkaie, CEO of Teridion; Tali Nehushtan, CEO of InnovoPro; Yehonatan Ben Hamozeg, CEO of Agrint; they were joined by JVP partners Yoav Tzruya, Fiona Darmon, Gadi Porat, Michal Drayman, and Rinat Remler, senior VPs Shimrit Kenig, Guy Pross, Pnina Ben Ami, and communications director Omri Sheinfeld.

Source from: https://www.jewishpress.com/news/business-economy/first-israeli-hi-tech-delegation-takes-off-for-the-emirates/2020/10/25/

Our Researchers Discover Another Vulnerability 

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

CVE-2020-16850 (US ICS-CERT) is a CVSS 8.6 remote CPU DoS vulnerability in Mitsubishi Electric iQ-R Series that has been discovered by SCADAfence researcher Yossi Reuven.

Mitsubishi Electric is one of the world’s leading electronics and electrical equipment manufacturing companies, and is in use by many of our customers. We have been working with Mitsubishi Electric for the last few months in handling multiple vulnerabilities, and on October 8th, Mitsubishi Electric published an official security advisory reporting this vulnerability and its mitigations.

About The Vulnerability – CVE-2020-16850

MELSEC iQ-R Series is Mitsubishi Electric flagship product line – designed for high productivity automation systems. iQ-R CPUs’ communication with GX Works 3 (Engineering software package) is done via Mitsubishi Electric proprietary protocol MELSOFT (which works on both TCP and UDP).

A single specially crafted packet sent by an attacker over the MELSOFT UDP protocol on port 5006 will cause a denial-of-service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The PLC’s CPU will get into fault mode, causing a hardware failure (error code: 0x3C00 – hardware failure). The PLC then becomes unresponsive and requires a manual restart to recover.

What SCADAfence Recommends Vendors To Do

Perform an Industrial Vulnerability Management Process

Please refer to our guide on this topic: https://www.scadafence.com/public-preview-a-comprehensive-guide-to-industrial-device-patching/

Monitor for Unauthorized Network Activity and Exploitation

Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.

Upgrade to the Latest Firmware (When Available)

Currently no firmware update is available (will be released soon by Mitsubishi Electric)

Prevent Unauthorized and Untrusted Access

– Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

– Use within a LAN and block access from untrusted networks and hosts through firewalls.

Block UDP Port 5006 and Use MELSOFT TCP

MELSOFT is an engineering software for Mitsubishi PLCs and gives users the option to use either the (connectionless) UDP and (connection-oriented) TCP protocols for programming and configuring the devices. SCADAfence recommends to block Block UDP port 5006 since the cyberattack leverages the connectionless UDP protocol and can cause the PLCs to stop functioning and cause a denial of service. Instead, users should use the TCP protocol for communicating with devices in the shop floor or the control network.

Special Thanks & Recognition

The SCADAfence Research team would like to thank the Mitsubishi Electric team for a speedy vulnerability reporting process even during the challenging COVID-19 times.

SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.

Exploit PoC

We wrote a Python POC (GPLv3) script of the exploit in action.

Currently, there’s no patch available. As a result, we limit the access to the exploit to vetted individuals only. The exploit is only available for educational and legal research purposes.

Warning: The script will crash the PLC’s CPU – do not use it in production.