FBI Warns Healthcare Entities of Threats to FTP ServersAlert Follows a Similar Warning Last Year from HHS
The FBI is warning the healthcare sector to step up security of its file transfer protocol servers as cybercriminals step up attacks targeting FTP servers running in anonymous mode.
"The FBI is aware of criminal actors who are actively targeting FTP servers operating in 'anonymous' mode and associated with medical and dental facilities to access protected health information and personally identifiable information in order to intimidate, harass and blackmail business owners," the March 22 FBI alert says.
Keith Fricke, principal consultant of tw-Security, says the anonymous FTP mode puts data at risk because it means that a named account is not required to log into the FTP service. "A default anonymous account may have a known default password," he says. "This makes unauthorized access easy once an intruder discovers the FTP services exists."
The FBI alert comes as the healthcare sector over the past year has not only seen a spike in ransomware attacks, but also assaults involving hackers exfiltrating data. Hackers threaten to post the data publicly, sell the pilfered information on the dark web or wipe patient data from servers and back-up devices unless healthcare providers pay a ransom.
One hacker, identified as TheDarkOverlord, has tormented the healthcare sector since last summer, including launching an extortion attack in January on a small Indiana-based charitable organization that provides support services, such as free wheelchairs and wigs, to patients undergoing cancer treatment (see Cancer Charity Latest Apparent Victim of 'TheDarkOverLord').
Although the FBI warning is directed to the healthcare sector, Fricke says other industries are also vulnerable to attacks targeting FTP servers. "For a long time now, HIPAA has required secure transmissions of PHI (protected health information) over unsecured networks such as the internet," Fricke says. "What organizations across any industry may not realize is that securing the FTP service is also necessary, not just encrypting the transmission."
Mac McMillan, president and chief strategy officer at security consulting firm CynergisTek, says his firm has not heard from clients of many such FTP attacks, "but we typically scan our customers at least quarterly and anytime we find an anonymous FTP vulnerability we immediately bring it to their attention. This is such a common vulnerability and easily addressed, but as the [FBI] notice says, particularly dangerous if not [addressed]."
The FBI isn't the first government agency to warn the healthcare sector of cyberthreats targeting FTP devices. Last October, the Department of Health and Human Services' Office for Civil Rights issued a cyber awareness alert warning healthcare sector organizations about the importance of safeguarding network-attached storage devices and other gear that supports or enables FTP services.
In that alert, OCR warned that network-access-server devices early last year "started becoming victim to a serious type of malware, which exploited the FTP service available on FTP servers, including FTP services available on NAS devices." (See Federal Regulators Warn of FTP, NAS Risks.) NAS devices connect to a computer network and provide a way to access data for a group of persons or entities.
At the time of that alert, OCR noted that security researchers at Sophos found that the malware variant Mal/Miner-C, also known as PhotMiner, appeared in the beginning of June 2016, "targeting FTP services, such as those available on NAS devices, and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials."
Rebecca Herold, president of Simbus, a privacy and security cloud services firm, and CEO of The Privacy Professor, a consultancy, says the FTP risks spotlighted by the FBI alert are very similar to the NAS device issues cited in the OCR warning.
Data from FTP servers can be stored on NAS devices, putting the devices at risk for malware. "So, the 'anonymous' FTP server basically becomes a distribution hub for a wide range of malware to any of the NAS devices on the same network," she says.
Healthcare providers are particularly vulnerable to the kind of FTP related attack highlighted by the FBI alert "because of the large number of varied types of entities with whom healthcare organizations communicate patient records, and other healthcare information," Herold says.
"Keep in mind that a large number of entities they send information to are not their contracted business associates, so they often set up an anonymous FTP server to make such exchanges of information easier," she says. "Additionally, those others they share information with also may be using such unsecured FTP servers."
FBI Alert Details
In its alert, the FBI notes that 2015 research conducted by the University of Michigan found that over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers.
"The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as 'anonymous' or 'ftp' without submitting a password or by submitting a generic password or e-mail address," FBI writes.
While computer security researchers actively seek FTP servers in anonymous mode to conduct legitimate research, the FBI points out that "other individuals are making connections to these servers to compromise PHI and PII for the purposes of intimidating, harassing, and blackmailing business owners."
The FBI warns that cybercriminals could use an FTP server in anonymous mode and configured to allow "write" access to store malicious tools or launch targeted cyberattacks. "In general," the FBI says, "any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cybercriminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud."
Steps to Take
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. "If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server," the FBI says.
Security experts say there are also other steps that entities can take to bolster security around FTP services.
For instance, Fricke advises that entities:
- Regularly apply security fixes to systems after testing them;
- Restrict access to FTP services to only those users or computers needing the access;
- Review default security settings on FTP servers including adjusting them to be more restrictive or remove services not needed; and
- Regularly review electronic event logs.
"Even better is to identify certain events that you want to know about and have the logging system send alerts proactively if possible," Fricke says.
Meanwhile, Herold says other measures that healthcare organizations can take to bolster security around FTP services include:
- Periodically running vulnerability scans and penetration tests to ensure anonymous access has not been inappropriately established;
- Keeping data stored on FTP servers encrypted whenever possible;
- Using blacklists to block all incoming traffic and files from untrusted websites, and only allow specific types of approved communications to the FTP server;
- Using whitelists to allow for anonymous FTP access from only specified locations, devices, etc.;
- Using anti-malware software on FTP services and keep it them updated;
- Using real-time system monitoring to send alerts for abnormal or suspicious activities on the FTP server; and
- Using a dedicated FTP server that is not also used for mission critical processing and does not store PHI or sensitive data of any other type.
"This vulnerability exists everywhere, all industries, and diligence in configuring and testing these servers can eliminate this risk," McMillan notes.