[Security Weekly] COVID-19 Vaccine Maker Dr. Reddy’s Ceases Operations Following Cyberattack
5th Week of October 2020
1. COVID-19 vaccine maker Dr. Reddy’s ceases operations following cyberattack
Dr. Reddy’s Laboratories, an Indian pharmaceutical giant under a contract of producing Russia’s “Sputinik V” COVID-19 vaccine, was forced to shut down all its plants in the US, Britain, India, Brazil, and Russia.
Dr. Reddy’s is a major pharmaceutical manufacturer that produces medicines for customers worldwide including the UK National Health Service (NHS). The Phase II trial for the “Sputinik V” COVID-19 vaccine was approved by the Drug Control General of India (DCGI) on October 19.
Soon after the attack hit, Dr. Reddy’s closed down all its plants worldwide, and isolated its data centers from one another to prevent the attack from spreading. The company expected its operations to resume within 24 hours.
Dr. Reddy’s did not specify the type of attack it suffered or whether sensitive information was compromised. Nevertheless, based on the situation described, it was likely hit by a ransomware attack. Pharmaceutical companies hold sensitive intellectual property of drugs and vaccines. A leak of such data could result in significant disruptions in the global pharmaceutical industry.
2. Finnish psychotherapy patients blackmailed individually following data breach
Finnish-based psychotherapy clinic Vastaamo suffered a serious data breach that compromised not only the patients’ personally identifiable information (PII), but also the detailed records of the therapy sessions. Vastaamo serves over 40,000 patients from 20 branches across Finland.
The incident can be traced back to November 2018, when hackers gained initial access to the clinic’s customer database. The CEO at the time (now fired) covered up the incident from the board of directors and left the vulnerability unfixed until March 2019. It was not until September 2020 that the company finally became aware of the data breach, when the attackers started to blackmail its patients.
According to the victims, the attackers initially asked for a ransom of 200 euros worth of Bitcoin, and quickly increased the price to 500 euros after 24 hours. They threatened that if no payment was made within 72 hours, their therapy session records would be released to the public. To prove their legitimacy, the attackers had already published over 10GB of data belonging to 300 patients on the dark web. Some of the victims were teenagers.
Vastaamo asked all victims to contact the police immediately. The incident is being treated seriously by Finnish authorities and the public. The attackers’ actions were condemned directly by Finnish Prime Minister Sanna Marin and President Sauli Niinisto.
3. European IT service provider Sopra Steria attacked by Ryuk ransomware
Sopra Steria, a French-based IT service provider and consulting firm, disclosed a cyberattack incident through a public statement on October 22. Listed on Euronext, Sopra Steria employs over 46,000 employees in 25 countries, with clients including the UK National Health Service (NHS), HSBC, Hyundai Capital, and the Bank of China.
The attack took place on October 20, where parts of Sopra Steria’s internal network was immediately encrypted, disabling many of its services. Experts believe that the attack was likely initiated by operators of the Ryuk ransomware family.
Sopra Steria stated that they have implemented the necessary measures to stop the infection from spreading further, and is working with security experts to recover the systems, which may take up to several weeks. However, the company has not yet disclosed what specific networks were affected and what kinds of data were compromised, making it worrisome for many customers.
Penta Security highly recommends investing in a database encryption solution like D’Amo to keep sensitive data safe from ransomware attacks, as well as to comply with international data privacy regulations such as the GDPR and CCPA. To learn more about D’Amo, click here.
4. Donald Trump’s election campaign website hacked by cryptocurrency scammers
On October 27, with the US presidential election only a week away, President Trump’s election campaign website was hacked and defaced by cryptocurrency scammers for up to 30 minutes.
The “About” page of the website was replaced by a message that reads “This site was seized”, followed by “The world has had enough of the fake news spread daily by President Donald J. Trump.” This was followed by a paragraph where the hackers claimed that they had compromised multiple devices and obtained secret conversations by Trump and his relatives, and that based on the information obtained, the President was involved in the origin of COVID-19 and collusions with foreign actors. However, none of these claims was backed up by evidence.
A cryptocurrency scam was included at the bottom of the page, where the hackers asked visitors to pay to one of two Monero cryptocurrency accounts, one button reads “Yes, share the data”, whereas the other reads “No, do not share the data.”
Cybersecurity experts believe that the attackers possibly gained access to the website’s WordPress backend by guessing the admin passwords. Not long ago, an ethical hacker from Europe claimed to have gained access to Trump’s Twitter account by guessing the password “maga2020!”, showing concern for the weak security measures implemented for the President’s accounts.
5. US government issues joint alert as numerous hospitals hit by Ryuk ransomware
On October 29, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HSS) issued a joint advisory warning that a massive campaign by operators of the Ryuk ransomware had been targeting US hospitals, affecting their ability and capacity to treat COVID-19 patients.
The campaign was launched by Eastern European hacker group UNC1878, with financial gain as the primary goal. Security experts believed this to be the most significant cybersecurity threat ever faced by the US, as patients of the affected hospitals were forced to be diverted.
The attackers’ tactic involved the use of phishing emails that contained malicious links. Once opened, an executable file would be installed, allowing the attackers to access the infected computer remotely and deploy the Ryuk ransomware.
A number of hospital networks have been hit. These include Sky Lakes Medical Center in Oregon, St. Lawrence Health System in New York, Wyckoff Heights Medical Center in Brooklyn, University of Vermont Health Network, and Universal Health Services, which was hit a few weeks back.
The US government, through its joint advisory, urges all hospitals to review and upgrade their cybersecurity measures as needed, and install the latest patches for their software.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security