Pharmaceutical Threat Intelligence: Use Cases

Introduction

Cyjax monitors critical asset information covering the clear, deep and darknet for businesses of all sizes across
many different industry verticals. We have serviced two major pharmaceutical companies for many years, delivering
timely and actionable intelligence. We have worked closely with their security operations teams, helping to reduce
their risk of an incident by monitoring for threats and vulnerabilities across their infrastructure. In this report, we
explain how we monitor and visualise information, and we provide a sample of our outputs.

Cyjax – The Service

We follow a two-pronged approach at Cyjax: automated monitoring through our threat intelligence platform;
coupled with analyst support to develop precursor intelligence reporting for our clients. Using proprietary dashboard
technology – as shown below – we can map out incidents specific to your vertical and develop a clear understanding
of the emerging threats and vulnerabilities to your critical assets. We monitor your people, office locations,
technology stack, brands and third-party suppliers against a vast and varied set of sources.

Further, we track threat actors who are actively targeting your sector with the ability to understand tactics,
techniques and procedures (TTPs) that are being leveraged to infiltrate similar organisations so that you can better
protect your own. We also collect contextualised indicators of compromise (IOC) that can be seamlessly integrated
with any SIEM or third-party tool. Together, our TTPs and IOCs will offer you a comprehensive intelligence and
protection package to effectively mitigate any potential intrusions.

We can further provide coverage around brand infringement, intellectual property, and illegal trading of your
products through our darknet monitoring:

Cyjax Reporting

We have a highly skilled team of analysts who focus primarily on open-source intelligence (OSINT) to protect our
clients by understanding their digital footprint and attack surface. This is of critical importance. When we discover a
vulnerability or threat, we gather as much information as possible, provide context and any appropriate mitigation,
so that the client can make informed business decisions to protect their organisation. The following is a list of
sample outputs.

We monitor exposed RDP connections for our clients. Alongside vulnerable VPNs, they have become one of the
primary initial access vectors into networks. We have seen countless ransomware attacks recently in which RDP
connections have been brute-forced to facilitate an attack.

Sample output 1 – Exposed RDP connection discovered

We have identified a [redacted] IP address with Remote Desktop Protocol seemingly exposed.


Sample output 2 – Threat actor selling information from multiple UAE-based healthcare organisations – 14
August 2020

The threat actor [redacted] claims to be selling data related to multiple healthcare organisations based in the UAE.
This threat actor has previously targeted healthcare organisations in the MENA region. The below post was taken
from [redacted].

NOTE: Further stolen data samples have been redacted.

The actor has a mixed reputation in terms of credibility. However, given the number of samples provided as
evidence, this database appears to be a genuine leak. While the source is unknown, the number of affected
organisations across the UAE points to this database being stolen from a central health authority or regulatory
body.

Moreover, the type of personal information exposed in this database – email addresses, full names, DOB, place of
work and hashed passwords – makes it an invaluable resource for committing further criminal activity.


Sample output 3 – Avaddon ransomware operators announce new data leaks blog – Originally published on 11.08.2020

The Avaddon ransomware operators have announced a data leaks blog that will be used to publish the stolen data
of victims who do not pay their ransom. The threat actors made the announcement on darknet forum [redacted],
stating that they are still recruiting new affiliates and looking for network and RDP access to systems.

There is currently only one entry on the group’s blog: EFCO Forms (or EFCO Formwork Solutions), a US-based
construction company. The group has leaked 3.5MB of documents from the organisations, which includes
employee names, addresses, job titles, phone numbers, and email addresses, as well as invoices, UK customer
orders, and commercial data.

Analyst comment: Avaddon is a relatively new ransomware. In June 2020 Cyjax discovered the new Avaddon
ransomware-as-a-service being advertised on Russian darknet forums, with its operators recruiting affiliates. Within days of this discovery, researchers began to observe attacks in the wild. Avaddon has also been linked to the
Phorpiex botnet and Nemucod downloader.

The Maze ransomware operators were pioneers of the tactic of stealing victim data and using it for extortion; the
group introduced the concept of a leaks blog to put pressure on victims in early 2020. This is a tactic that has now
been adopted by many ransomware operators, meaning that all companies should now accept that a ransomware
attack likely equates to a data breach.

Update – 27.08.2020: Cofense has now reported that Avaddon is being distributed alongside Raccoon Stealer, an
infostealer, in a campaign targeting several industry sectors including energy, healthcare, insurance, manufacturing,
mining and retail. The researchers believe that this is another indication of the Avadon operator’s willingness to
exfiltrate data and use it to extort victims. This campaign appears to have successfully evaded secure email
gateways (SEG) and the two payloads are being pushed by the Smoke Loader downloader Trojan.[1]


Sample output 4 – New @APT29 activity disclosed, more WellMess samples uncovered

Kaspersky’s Brian Bartholomew has shared new activity linked to Advanced Persistent Threat group 29 (@APT29).
Several ELF binaries of the WellMess malware were uploaded to VirusTotal by a user in China. The samples are
reportedly UPX-packed and also share similarities with the ELF version of the WellMail malware.[2]
NOTE: IOCs for this threat are available to subscribers.

Analyst comment: WellMess is Golang malware that has been used by @APT29 since at least 2018. It was first
reported by JPCERT/CC and is designed to execute arbitrary shell commands and can upload and download files.
WellMess supports HTTP, TLS, and DNS communication methods with the APT actors’ C&C servers.

In July, the UK NCSC and US NSA released a joint public security advisory stating that a Russian state-sponsored
group, tracked as @APT29, had been infiltrating organisations involved in coronavirus vaccine development.[3] The
malware involved in these attacks included WellMess, WellMail, and SoreFang.

@APT29 (also known as @CozyBear, @TheDukes, or @YTTRIUM) is likely to continue to target organisations
involved in COVID-19 vaccine research and development. The group has vast resources and skills: a resurgence
from it would be a major security concern, particularly for the US and its allies. With the 2020 US presidential
election looming, as well as the Tokyo 2021 Olympics, it is possible that these Russian threat groups may be more
active in the coming months.


Conclusion

We have worked tirelessly throughout this pandemic to help protect our pharmaceutical clients whilst they continue
to press ahead with vaccine research. In this report, we have provided an overview of our service and a sample of
outputs that these clients typically receive as part of our offering. We would be delighted to deliver our full capability
to you, as we believe Cyjax can help in better protecting your critical assets.


Sources

[1] https://cofense.com/avaddon-ransomware-joins-data-exfiltration-trend/

[2] https://twitter.com/Mao_Ware/status/1300448107218563080

[3] https://www.ncsc.gov.uk/news/uk-and-allies-expose-russian-attacks-on-coronavirus-vaccine-development