Publication Date: July 5, 2017
Update Date: July 5, 2017
ADVISORY / GENERAL GUIDANCE
Philips is aware the current malware campaign known as Petya (also known as NotPetya, Petna, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya or Expetr) was reported June 27th to be spreading and impacting organizations and critical infrastructure around the globe. The malware encrypts (locks) computers and demands a payment in Bitcoins, according to information shared online by affected institutions. Originally reported as ransomware, industry research now indicates the Petya malware to be a data “wiper” in disguise as ransomware – a form of malware that wipes or destroys access to data without the attacker having either intent or control to enable recovery of the locked files. Most of the initial event was reported to primarily impact organizations in Ukraine. However, new malware infections reportedly spread quickly to impact systems and infrastructure from Russia, The Netherlands, France, India, Australia, the U.S., and other countries. Affected organizations include hospitals, shipping ports, power companies, banks, and an extended list of other types of institutions. According to industry researchers, initial attack vectors were delivered via a Ukrainian company’s (M.E.doc) update service for their finance application, which is popular in Ukraine and Russia. Once the initial compromise took hold, the malware exploited other vulnerabilities to spread over vulnerable networks by exploiting a Windows vulnerability (in SMBv1) similar to the WannaCry outbreak in May. Further information on this Windows vulnerability and the Petya outbreak can be found on the Microsoft website at “Update on Petya malware attacks”.
The vulnerability to this ransomware was identified and a patch was released by Microsoft on March 14, 2017 (MS17-010) for Microsoft supported versions of Windows (including WinVista, WinServer 2008, Win7, WinServer 2008 R2, Win 8.1, WinServer 2012, Win10, WinServer 2012 R2, and WinServer 2016). In further response specific to this ransomware outbreak, Microsoft also took extra steps to release updates for versions of Windows not under Microsoft mainstream support (including WinXP, Win8, and WinServer 2003).
Consistent with Philips Product Security Policy, our global network of product security officers and technical support teams are closely monitoring the situation and continue to take appropriate preventative measures. Philips will continue to work with our customer base to address this malware event and drive any product-specific or customer installation-specific preventative measures such as installation of the latest Microsoft Security Patches, Windows vulnerability containment steps, or other Philips-approved countermeasures as required on Philips products.
Select Philips products may be affected by the Microsoft vulnerability being exploited by the Petya malware. The potential for exploitability of any such vulnerability depends on the specific configuration and deployment environment of each product as well as adherence to the intended use of the product.
To date, Philips has not received any reports of Philips products or business operations being directly affected by this reported malware.
Preventative measures on Philips products should be implemented in accordance with Philips authorized steps or countermeasures defined and approved by Philips.
Customers entitled by service-contract to use the Philips InCenter Customer Portal are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter.
Philips highly recommends all customers with and without service contracts contact their local service support team or regional product service support to discuss any needed guidance, services, or questions regarding their specific products or installations. Customers who require general information on Philips Product Security may contact Philips Product Security at firstname.lastname@example.org.
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are fully protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
The items below are offered as general guidance, are for general consideration only, and must be reviewed in alignment with any posted Philips Service Bulletin with Philips service support to ensure all defined testing and verification processes are followed within product specification and regulatory requirements.
Work with Philips services support to identify and review:
- Philips products that have been patched to protect against the SMB vulnerability being exploited by the Petya malware.
- Philips products that may still be vulnerable to impact from the Petya malware.
- For Philips products that are potentially vulnerable to the Petya malware, consider the following options or combination of options (where applicable and in accordance with authorized Philips service):
-Arrange for Philips service teams to apply any available Philips-approved patches or updates to your system per standard procedures.
-Consider implementing anti-virus access protection rules (Example: Per McAfee Guidance https://kc.mcafee.com/corporate/index?page=content&id=KB89540&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US).
-Consider blocking SMB and RDP ports per Microsoft guidance.
-Consider disabling SMBv1 on our devices if authorized by Philips for your product.
Other General Points for Customer Awareness:
- Re-imaging an infected machine will likely overwrite/destroy information on that device.
- Making payment to ransomware is not a Philips recommendation. Reportedly, ransom payments in response to Petya infections have not resulted in restored access to a Petya infected files or systems. If payment is made in an effort to decrypt the system, then
-Data, if and when available, should be backed up to a safe location with appropriate restoration procedures.
-Reinstall the system applications with at least one of the recommended actions to prevent re-infection to the device.
-Network segmentation will help prevent harm to the device as long as the SMB and RDP are not utilized and blocked.
SUPPORT OF MICROSOFT GENERAL RECOMMENDATIONS
On June 28th Microsoft posted their “Update on Petya malware attacks” which included Microsoft recommendations for Windows users to consider toward the identification, prevention, and mitigation of the risk of compromise from reported Windows vulnerabilities being exploited by Petya. The advisory included options for users to consider for deployment of Windows security updates and other changes to system configuration as potential countermeasures.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips products (including Windows security updates and patches) are implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Philips policy, the U.S. FDA post-market guidance, and other regulatory jurisdiction requirements state that all critical vulnerabilities must be assessed and mitigated. In the case of WannaCry and Petya, a number of Philips products are deployed with default security hardening that securely mitigates the risk of WannaCry and Petya vulnerabilities due to firewall configuration, closed ports, anti-virus/whitelisting, or other security features designed into the product architectures. In those specific cases, Philips will not require Windows security patching to mitigate against WannaCry or Petya threats since those products are not assessed to be vulnerable to exploit from WannaCry or Petya when deployed and operated within specification. Likewise, the same product-by-product assessment is made by Philips relative to other countermeasures like network port blocking that may be recommended by Microsoft but might not be applicable to all Philips products or product versions. Philips product teams therefore assess all published Windows critical vulnerabilities on a product-by-product basis routinely and document product vulnerability status into product MDS2 forms and vulnerability tables. If a product does require Microsoft security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Customers entitled by service-contract to use Philips InCenter are encouraged to request and attain InCenter access and reference product-specific information posted on Philips InCenter. All customers with and without service contracts are encouraged to contact their local service support team or regional product service support as needed for current information specific to their products or Philips deployed installations as information becomes available.
Website Advisory on Worldwide Ransomware Outbreak (WannaCry, et. al.)
Publication Date: May 26, 2017
Update Date: May 26, 2017