DNATools Inc. application dnaLIMS is a “state-of-the art web-based laboratory information management system used to track and manage (scientific DNA research)”. It is commonly used by researchers in labs and universities around the world. In 2017, multiple vulnerabilities were discovered in this software. After the vendor was notified, their response indicates these vulnerabilities will not be fixed. It has been confirmed that these vulnerabilities still exist in the software and attackers have recently been observed exploiting these vulnerabilities for nefarious purposes.
In March 2017, multiple vulnerabilities for dnaLIMS software were publicly disclosed after DNATools and authorities had been notified. The vulnerabilities identified in this device are as follows:
- CVE-2017-6526: Improperly Protected Web Shell
- CVE-2017-6527: Unauthenticated Directory Traversal
- CVE-2017-6528: Insecure Password Storage
- CVE-2017-6529: Active Session Hijacking
- Cross-Site Scripting
When properly exploited, the vulnerabilities will allow attackers to execute code remotely, hijack active user sessions, and steal data including but not limited to DNA hash information and user credentials.
Reconnaissance of these devices is easy and requires little more than a specific search using advances search queries. Because the exploit does not involve sophisticated knowledge of these devices or additional equipment, hacking into these systems requires very little skill. A Metasploit module is freely available for these exploits and increases the odds that low-level hackers will take advantage of the weaknesses in this system.
Recently, security researcher Ankit Anubhav discovered that these devices are being targeted by hackers operating from an Iranian IP address (18.104.22.168) located on the Shahed Telecommunications network on the Iraqi/Iranian border. Approximately 1/6th of the devices on this network (~5,500 devices) have botnet tracker hits in our collections, with the large majority being Anubis, Avalanche, and Andromeda.
By sending a specific POST request to cgi-bin/dna/sysAdmin.cgi on the server, attackers are able to gain unauthorized administrative access to the dnaLIMS system where they can view plaintext password files on the system, view test results/configuration data, and exfiltrate data or use the system as a pivot point on the network for further attacks.
Due to the low skill level required, and low reward for successful exploitation, it is unlikely that these are nation-state attacks coming from Iran. It is less likely that attackers are looking for DNA information and more likely that they are taking over the devices for botnet or crypto mining operations. Credentials stolen from this system are not useful outside of the system, unless a user re-uses the same credentials on other systems.
Although DNA hash data is not useful to the average attacker, this data may be used to gain access to biometric access controls in the future. If hackers alter the data, it may result in misleading researchers to incorrect conclusions, leading to false and inaccurate medical research and a delay in medical breakthroughs and discoveries.
When asked in December 2016 what are the solutions to mitigate these risks, the vendor replied, “…Yes, we have a plan. Please gather a DNA sequence, PO Number, or Fund Number and go to your local grocery store and see what it will buy you,” indicating the company has no interest in fixing these vulnerabilities. It is unlikely any patches will be produced to prevent these attacks moving forward.
Although the repercussions for these vulnerabilities do not appear major on the surface, the lack of mitigations, ease of exploitation, and the data contained in these systems, successful exploitations can lead to delayed scientific research, credential exposure, and an overall decrease in performance from these systems. With biometric systems being used in more access controls, the future consequences of these attacks could be more severe.