Patches Pending for Medical Devices Hit By WannaCry

Companies such as Siemens and Bayer are planning to release patches for medical devices hit by the ransomware WannaCry over the past several days.

It was initially thought just Windows machines were vulnerable but it probably shouldn’t come as a surprise that medical devices and industrial control systems were subjected to the perils of this weekend’s WannaCry ransomware outburst as well.

Over the past few days the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) along with several medical device vendors have begun warning consumers of the risk the malware poses and mitigations that should be implemented by hospitals and factories that deploy software on vulnerable versions of Windows with SMBv1 enabled.

WannaCry, which wended its way through the internet on Friday, exploits EternalBlue, a remote code execution attack that targets a patched SMBv1 vulnerability in Windows. A patch for the vulnerability, leaked in April by the ShadowBrokers, was pushed by Microsoft in March but apparently has not been applied by many – including hospital IT administrators.

Siemens began warning customers on Tuesday that some of its Healthineers products – a line of devices deployed in clinical environments – are affected by the SMBv1 vulnerabilities behind the WannaCry campaign.

In particular, all versions of the company’s Multi-Modality Workplace (.PDF) (MMWP)– an imaging platform found in hospital radiology departments, and all versions of the company’s MAGNETOM MRI Systems (.PDF) – massive magnetic resonance tubes used for imaging in hospitals, are vulnerable, Siemens said.

The company issued a security bulletin and advisories for both products on Tuesday.

Siemens stressed in the bulletin the exploitability of the devices is largely dependent on the way the products are configured and deployed, but that it’s still preparing updates for the products. In the meantime the company is encouraging customers to isolate products that listen on the TCP ports 139, 445 and 3389.

Researchers over the past several days have observed WannaCry campaigns – in addition to cryptocurrency miner campaigns – scanning the internet for targets with port 445 exposed – a practice generally frowned upon and discouraged by Microsoft. Still, Rapid7 said on Wednesday it saw more than 800,00 devices running Windows exposing SMB over port 445.

In addition to disabling the port, Siemens also asked users to make an effort to isolate affected products within their respective network segment, and ensure they have backups and system restoration procedures in place.

The company’s recommendations echoed sentiments made by experts multiple times this week, including advocating patching vulnerable machines, amd making sure offline backups are secure and stored offline

Siemens isn’t the only medical device company planning to push patches to mitigate further WannaCry infections.

HITRUST, the Health Information Trust Alliance, reported on Monday that medical devices manufactured by the German conglomerate Bayer were also implicated by WannaCry over the weekend. HITRUST’s report suggests that Siemens devices, as the forthcoming patches would suggest, were implicated as well.

The company is in the middle of prepping a patch for Windows-based devices, purportedly radiology systems, that were also hit by the ransomware.

A spokesperson from the company told Threatpost Wednesday it was working to deploy the patch soon but didn’t have an ETA.

While Siemens wouldn’t confirm HITRUST’s report that its devices were implicated by WannaCry, it did say it was working alongside customers and the National Health Service’s Digital department to remedy “the ransomware attack.”

“We have been working alongside our customers and NHS Digital since we became aware of the ransomware attack on Friday afternoon. This is an emerging situation and our focus is on restoring system operation, as soon as possible, but without compromising on quality. Engineers have been working at affected sites and will remain in constant contact with customers until systems are restored,” the company said.

WannaCry was blamed for interrupting services at scores of NHS organizations in the U.K. when it first began to make the rounds on Friday.

Medical device manufacturer Becton, Dickinson and Company (BD) also warned of WannaCry this week – but in a more generic sense. The company didn’t specify which, if any, of its products were affected but said they do support Windows. In a product security service bulletin the company said it recommends users apply Microsoft’s CVE-2017-0290 patch and to make sure anyone running Windows has mitigation controls in place for SMB.

Rockwell Automation and ABB, a Swiss robotics and automation firm, warned of the malware in advisories this week as well.

While neither company believes their software is directly implicated, both said that systems that run its products on Windows are likely affected.

Like the other vendors, ABB encouraged customers (.PDF) to backup their systems, install MS17-010, and to block or restrict Windows File Sharing via the SMB protocol.

Rockwell, which primarily ships industrial control components like flat panel monitors, CRTs, and computers for factories, deferred users to Microsoft’s MS17-010 Security Bulletin. Before implementing Microsoft’s patch, the company is encouraging users to verify it on a non-production system to make sure there’s no unwanted side effects.

ICS-CERT, which published an alert Monday and updated it Tuesday, is keeping track of industrial control vendors such as Siemens and BD that have issued notifications on WannaCry. The team is urging healthcare providers to follow the FDA’s guidance on medical device cybersecurity which says companies don’t need FDA review to make changes to medical devices if they’re to strengthen cybersecurity.

The Electronic Healthcare Network Accreditation Commission, a self-governing standards development organization that oversees electronic health networks, was quick to warn of WannaCry on Sunday. The commission said it was monitoring privacy controls “within accreditation criteria to mitigate the threat of similar data breaches and to secure Protected Health Information managed by healthcare stakeholders.”

“We applaud the efforts of the security agencies working to contain and stop this attack and encourage all to review their privacy and security procedures, and ensure they are best prepared to mitigate the impact of future threats.”

Suggested articles