BD is actively monitoring the developing situation with “Ryuk” ransomware attacks targeting healthcare facilities across the globe. Ryuk attacks are known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to a large number of systems before initiating the file encryption and requesting a ransom.
Microsoft Netlogon Elevation of Privilege Vulnerability (Zerologon) was recently identified on the list of third-party vulnerabilities threat actors could potentially use to infect systems with Ryuk Ransomware. For more information, please see our Zerologon bulletin.
BD has not received any reports of this third-party vulnerability being exploited on BD products. We have identified BD offerings that utilize affected versions of Netlogon Remote Protocol (MS-NRPC) CVE-2020-1472. Please review our Zerologon bulletin for more information. Please see the Product Security Patching website for all available product security patches.
Please note, the following BD product is now included in the offerings that are in scope for being a Ryuk Ransomware point of entry if not patched.
Refer to the Zerologon bulletin for the full product list of BD offerings that leverage the Netlogon Remote Protocol.
See below for more information regarding Ryuk Ransomware and BD offerings.
Five known vulnerabilities, dating back to 2017, are being exploited to infect systems with Ryuk ransomware. Those vulnerabilities include:
|Common Vulnerabilities and Exposures (CVE)||Vendor||Impacted systems and applications|
|CVE-2018-12808||Adobe Acrobat and Reader||Adobe Acrobat and Reader versions (below) have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution:
|CVE-2017-0144||Windows SMB Remote Code Execution Vulnerability||Microsoft Windows (SMBv1 protocol) remote code execution allowing arbitrary code execution:
|CVE-2018-8389||Scripting Engine Memory Corruption Vulnerability (Internet Explorer)||Internet Explorer remote code execution from scripting engine memory handling:
|CVE-2018-20685||OpenSSH (Putty and Linux)||OpenSSH protocols (impacting various Windows and Linux systems using these protocols)
|CVE-2019-6109||OpenSSH (Linux)||OpenSSH protocols (impacting various Windows and Linux systems using these protocols)
BD has provided the list below to help customers identify BD offerings that utilize one or more of the third-party components listed above. Where patches have already been made available, customers are encouraged to verify that the patches have been applied.
The following BD offerings already have patches for one or more of the vulnerabilities, which were issued previously and are available through the Product Security Patches page.
* BD DataLink™, BD Totalys™ Multiprocessor, BD Totalys™ Slideprep are currently undergoing patch validation for CVE-2018-12808 and CVE-2018-8389
** BD FocalPoint Slide Profiler Workstation is currently undergoing patch validation for CVE-201-20685
† BD Veritor™ Connect NUC, BD MAX and BD Kiestra™ are currently undergoing patch validation for CVE-201-20685 and CVE-2019-6109
These patches will reduce risk of BD offerings being a Ryuk entry point. Customers should ensure critical backups are housed offline and also follow the network best practices outlined in the Ransomware Activity Targeting the Healthcare and Public Health Sector alert from Cybersecurity & Infrastructure Security Agency (CISA).
Customers that maintain patches independently of BD automated delivery should ensure these actions are performed as the acting responsible entity to maintain the correct security posture of the system(s).
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.