This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs).
It applies to BD products in scope in addition to products that are not actively supported by BD that run Microsoft Windows Operating Systems. BD engages in proactive communication around cybersecurity issues that have the potential to either directly or indirectly impact our products. Vulnerability disclosure is an essential component of BD's culture of transparency to help ensure that customers have the necessary information to properly assess potential cybersecurity risk, even those caused by third-party software and/or operating systems.
--------- Begin Update B: August 9, 2018 ---------
Vulnerability Details
BD is aware of a Trojan called Kwampirs, which allows malicious attackers remote access into a compromised computer. This is not a BD-specific vulnerability, and there have been no reports of a BD product being affected by Kwampirs. It has been observed targeting common legacy Microsoft Windows operating systems. Kwampirs affects those systems with enabled network shared drives, outdated or no malware protection and any version of the Microsoft Windows Operating System.
This notification provides product security information and recommendations related to a Kwampirs trojan when an "attacker" has access to a hospital's network and vulnerable enabled network shares are found to further propagate. This notification is voluntarily reported by BD to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Health Information Sharing and Analysis Center (NH-ISAC).
Products in Scope
BD has provided a list of BD products in scope that use Microsoft Windows operating systems that are potentially vulnerable to Kwampirs.
Mitigations & Compensating Controls
BD has confirmed that anti-virus software, where maintained by BD, addresses the Kwampirs vulnerability for products in scope. If you have a BD product in scope where BD maintains and administers an anti-virus solution, there is no customer action needed.
For customers that maintain anti-virus software independent of BD automated updates, BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability:
Clinical Risk Assessment and Patient Safety Impact
Hospitals should conduct their own risk assessments based on the products within their facility(s).
Product Security Risk Assessment and Vulnerability Score
BD has conducted internal risk assessments for this vulnerability to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
BD has provided a list of BD products in scope potentially vulnerable to Kwampirs in order to help our customers prioritize remediation steps given the severity level assigned to each BD product.
For More Information
For product or site-specific concerns, contact your BD service representative.
--------- End Update B: August 9, 2018 ---------
BD is aware of a Trojan called Kwampirs, which allows malicious attackers remote access into a compromised computer. This is not a BD-specific vulnerability, and there have been no reports of a BD product being affected by Kwampirs. It has been observed targeting common legacy Microsoft Windows operating systems.
Kwampirs affects those systems with enabled network shared drives, outdated or no malware protection and any Windows Operating System. BD is currently reviewing the potential impact this trojan may have on BD products. To minimize risk and impact from Kwampirs, BD recommends the following for systems vulnerable to this attack:
For product or site-specific concerns, contact your BD service representative.
Microsoft: Trojan:Win32/Kwampirs.A
Last BD Publication Update: 08/09/2018
Original BD Publication Date: 05/22/2018