true
Ryuk Ransomware

Background

BD is actively monitoring the developing situation with “Ryuk” ransomware attacks targeting healthcare facilities across the globe. Ryuk attacks are known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to a large number of systems before initiating the file encryption and requesting a ransom.

Begin Update A: November 6, 2020

Microsoft Netlogon Elevation of Privilege Vulnerability (Zerologon) was recently identified on the list of third-party vulnerabilities threat actors could potentially use to infect systems with Ryuk Ransomware. For more information, please see our Zerologon bulletin.

BD has not received any reports of this third-party vulnerability being exploited on BD products. We have identified BD offerings that utilize affected versions of Netlogon Remote Protocol (MS-NRPC) CVE-2020-1472. Please review our Zerologon bulletin for more information. Please see the Product Security Patching website for all available product security patches.

Please note, the following BD product is now included in the offerings that are in scope for being a Ryuk Ransomware point of entry if not patched.

  • BD Intelliport™

Refer to the Zerologon bulletin for the full product list of BD offerings that leverage the Netlogon Remote Protocol.

See below for more information regarding Ryuk Ransomware and BD offerings.

End Update A: November 6, 2020

Five known vulnerabilities, dating back to 2017, are being exploited to infect systems with Ryuk ransomware. Those vulnerabilities include:

Common Vulnerabilities and Exposures (CVE)VendorImpacted systems and applications
CVE-2018-12808Adobe Acrobat and ReaderAdobe Acrobat and Reader versions (below) have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution:
  • 2018.011.20055 and earlier
  • 2017.011.30096 and earlier
  • 2015.006.30434 and earlier
CVE-2017-0144Windows SMB Remote Code Execution VulnerabilityMicrosoft Windows (SMBv1 protocol) remote code execution allowing arbitrary code execution:
  • Windows Vista SP2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012 Gold and R2
  • Windows RT 8.1
  • Windows 10 Gold, 1511, and 1607
  • Windows Server 2016
CVE-2018-8389Scripting Engine Memory Corruption Vulnerability (Internet Explorer)Internet Explorer remote code execution from scripting engine memory handling:
  • IE 9, 10, and 11
CVE-2018-20685OpenSSH (Putty and Linux)OpenSSH protocols (impacting various Windows and Linux systems using these protocols)
  • PuTTY 0.70.0 and Prior
  • SUSE Linux Enterprise Server 11-SP4
  • AIX 7.1, 7.2
CVE-2019-6109OpenSSH (Linux)OpenSSH protocols (impacting various Windows and Linux systems using these protocols)
  • PuTTY 0.70.0 and Prior
  • SUSE Linux Enterprise Server 11-SP4
  • AIX 7.1, 7.2

Response

BD has provided the list below to help customers identify BD offerings that utilize one or more of the third-party components listed above. Where patches have already been made available, customers are encouraged to verify that the patches have been applied.

The following BD offerings already have patches for one or more of the vulnerabilities, which were issued previously and are available through the Product Security Patches page.

 

  • BD Alaris™ Guardrails™ Suite MX
  • BD Alaris™ Systems Manager v12.0.x (Server 2012)
  • BD Alaris™ Systems Manager v12.1.x (Server 2016)
  • BD Alaris™ Systems Manager v4.x (Server 2008 R2)
  • BD Assurity Linc™
  • BD BACTEC™ BOW
  • BD BACTEC™ FX
  • BD BACTEC™ FX40
  • BD DataLink™ *
  • BD EpiCenter™
  • BD FocalPoint Large Lab Server
  • BD FocalPoint Screen Review Station
  • BD FocalPoint Slide Profiler Workstation **
  • BD FocalPoint Small Lab Server
  • BD HealthSight™ Clinical Advisor
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor
  • BD HealthSight™ Inventory Optimization
  • BD Infusion Knowledge Portal™
  • BD Kiestra™ InoqulA Standalone (Talon) †
  • BD Kiestra™ InoqulA+ †
  • BD Kiestra™ ReadA Standalone †
  • BD Kiestra™ TLA/WCA †
  • BD MAX †
  • BD Medication Knowledge Portal™
  • BD Phoenix™ M50
  • BD Pyxis MedStation 3500
  • BD Pyxis ProcedureStation™ system with Tissue and Implant module
  • BD Pyxis™ Anesthesia Station 3500
  • BD Pyxis™ Anesthesia Station 4000
  • BD Pyxis™ Anesthesia Station ES
  • BD Pyxis™ CathRack System
  • BD Pyxis™ CIISafe
  • BD Pyxis™ CUBIE Replenishment System (CRS)
  • BD Pyxis™ IV Prep
  • BD Pyxis™ KanBan RF
  • BD Pyxis™ Logistics Server
  • BD Pyxis™ Logistics Workstation
  • BD Pyxis™ MedStation 3500
  • BD Pyxis™ MedStation™ 4000
  • BD Pyxis™ MedStation™ ES
  • BD Pyxis™ MedStation™ ES Integrated Main system
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ PharmoPack™
  • BD Pyxis™ Server ES
  • BD Pyxis™ SupplyStation (RFID)
  • BD Pyxis™ SupplyStation™
  • BD Pyxis™ Tissue & Implant Management System
  • BD Pyxis™ IV Prep
  • BD Pyxis™ KanBan RF
  • BD Pyxis™ Logistics
  • BD Supply Knowledge Portal™
  • BD Synapsys™
  • BD Totalys™ Multiprocessor*
  • BD Totalys™ SlidePrep *
  • BD Veritor™ Connect NUC †
  • BD Viper LT™

 

* BD DataLink™, BD Totalys™ Multiprocessor, BD Totalys™ Slideprep are currently undergoing patch validation for CVE-2018-12808 and CVE-2018-8389
** BD FocalPoint Slide Profiler Workstation is currently undergoing patch validation for CVE-201-20685
† BD Veritor™ Connect NUC, BD MAX and BD Kiestra™ are currently undergoing patch validation for CVE-201-20685 and CVE-2019-6109

These patches will reduce risk of BD offerings being a Ryuk entry point. Customers should ensure critical backups are housed offline and also follow the network best practices outlined in the Ransomware Activity Targeting the Healthcare and Public Health Sector alert from Cybersecurity & Infrastructure Security Agency (CISA).

Customers that maintain patches independently of BD automated delivery should ensure these actions are performed as the acting responsible entity to maintain the correct security posture of the system(s).

For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.