A warning issued by the FBI cautions healthcare providers to beware of threat actors, who are now targeting anonymous File Transfer Protocol Servers (FTP), associated with both medical and dental organizations. An article on Dark Reading goes into great detail about the trouble with anonymous FTP servers and why it is important to turn yours off.
These cybercriminals have one goal in mind when targeting these FTP servers; access protected health information (PHI) and personally identifiable information (PII).
The anonymous FTP extension lets users authenticate to the server with a common username and no password, or a generic password or email address.”
Since FTP servers are easily accessible allowing virtually anyone to connect and look through files, SANS Institute director John Pescatore says that it has been “standard guidance” for organizations to avoid storing sensitive data on FTP servers.
Pescatore urges organizations not to store anything besides public information on FTP servers, acknowledging that many companies ignore this advice since these servers allow for “an easy way to make information available to third parties.”
The FBI has explained that unsecured servers being operated on business networks have the capability of storing sensitive data, which can make anonymous FTP servers easy targets for attackers to steal PHI and PII.
According to Carson Sweet, CTO and co-founder of CloudPassage there are a number of ways cybercriminals can use this stolen data.
Cybercriminals can add data to a fraudster database or sell it on the dark Web. They may also use it for blackmail, leveraging records with information patients wouldn’t want made public, he says.”
Although it is not a new problem, the vulnerability of FTP servers is still relevant today, especially to smaller healthcare practices. Sweet discusses the fact that security is often not the number one priority for smaller organizations, often buying their software from small vendors and continuing to use it for years.
Small medical and dental practices don’t want to change their technology often,” he explains. “They end up with a proliferation; a long-term existence of poorly secured apps.”
Experts believe that smaller businesses get away with using outdated technology because they simply get overlooked by feds paying more mind to larger healthcare organizations. For this reason, smaller practices continue using the outdated technology and thus increase their risk of a data breach.
Pescatore also explains that data theft is not the only risk with anonymous FTP servers. In addition, organizations are at risk of allowing attackers to use their servers to store malicious content.
They can use this as the foundation for a ransomware attack, threatening to publicize their possession of this information unless they pay. A hacker could use an anonymous FTP server to store and sell pirated software, involving the business in selling stolen goods.”
Pescatore describes the difficulty with cybercriminals implementing hazardous content on an FTP server, explaining how it is harder to detect than data theft.
Firewalls or intrusion detection will reveal if cybercriminals are scanning for vulnerable FTP servers, but it’s tougher to tell if they’re implementing dangerous content.”
He goes on to discuss the fact that organizations spend money on data loss prevention to ensure information does not leave the organization, but do not invest in detecting information that is entering the companies’ server.
It is unknown at this point why the FBI has released this warning, but Pescatore believes it is “likely due to a current case.”
He says in past years turning off anonymous FTP servers was not possible due to their use in business practices, but it is becoming much simpler. Both Pescatore and Sweet encourage organizations to turn off their anonymous FTP servers to protect their businesses.
The trend of using an anonymous FTP server should have been eradicated a decade ago,” Sweet emphasized. “It’s not something we should see growing; it’s something we should see shrinking.”
In the FBI’s warning they recommend both medical and dental practices have their IT teams check their networks to ensure they do not have an FTP server running anonymously, and if there is a reason for the anonymous server, it is important to guarantee there is no PHI or PII being stored.