Federal Regulators Warn of FTP, NAS RisksOCR Says Devices are Vulnerable to 'Cryptocurrency Mining' Malware
As ransomware and other cyberattacks on healthcare entities continue to surge, federal regulators are alerting organizations about the importance of safeguarding network-attached storage devices and other gear that supports or enables file transfer protocol services.
The Department of Health and Human Services' Office for Civil Rights' monthly cyber awareness alert for October reminds HIPAA covered entities and their business associates that FTP services are proving particularly vulnerable to cyberattacks.
OCR notes that research by computer security firm Sophos recently found that up to 70 percent of a vendor's NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C, also known as PhotoMiner. Sophos researchers alleged that out of 7,000 of these NAS devices manufactured by Seagate, 5,000 were infected with this malware by cybercriminals who also collected $86,000 in cryptocurrency.
The researchers say the malware variant, which appeared at the beginning of June, is targeting FTP services, such as those available on NAS devices, "and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials," OCR notes. The researchers claim that a design flaw regarding the use of public folders on certain NAS devices permitted the Miner-C malware to more easily copy itself to the public folders, OCR adds.
The Miner-C or PhotoMiner malware "tricks users by copying files to the public folders that resemble a standard Microsoft folder icon," according to the OCR report. "Once the user clicks on the folder, the malware variant is activated and installs on the victim's laptop, desktop, or other computing device."
The malware allows cybercriminals to generate cryptocurrency by a process known as 'mining.' "Cryptocurrency mining exploits computer processing power to solve difficult math problems. Essentially, attackers are rewarded with cryptocurrency for the amount of math problems they solve," OCR says.
This type of malware can affect an information system's performance by eating up a system's computing power and slowing down other system processes, the agency notes.
In a statement to Information Security Media Group, a Seagate spokesman says the company was made aware of a potential security issue related to the use of Seagate Central network storage and malware targeting FTP users. "The solution for customers to help protect themselves from this risk is to utilize the provided secure remote access feature," he says.
"Seagate Central offers remote access through various methods including secure remote access and FTP. We encourages users to utilize the secure remote access as the default method and not to enable port forwarding of FTP. Advanced users may choose to use the FTP and can enable port forwarding to utilize the FTP features," he says. The problem affects 70 percent of the Seagate Central devices using "FTP anonymous, which is a small percent of what we have shipped," not 70 percent of the company's devices connected to the internet, he says. " FTP anonymous access would require a user to expose the device to the internet through port forwarding in their router. Anonymous FTP is insecure and is not recommended."
The risks involved with FTP services and NAS devices are often underestimated, "especially for the large number of clinics and non-technology BAs who do not have a background or experience in data security," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services.
CEs and BAs often assume that the FTP services they use are secure because they use encryption, Herold says. "But they typically have not thought about whether the encryption used is strong," she says. "They also simply aren't aware of all the other risks that exist beyond encryption."
Some organizations also mistakenly assume "that when the NAS devices attach to the network, they automatically acquire all the network security controls as an effect of being attached to the network," Herold says. "Or, they believe the NAS devices do not need to have passwords specific to them, or anti-malware running on them, because they don't view them as being accessible by any others who are not physically present with them."
Keith Fricke, partner and principal consultant at tw-Security, notes: "What may compound the lack of awareness in this situation is that the criminals are exploiting vulnerable FTP services to use the compromised systems' computing power to generate revenue based on digital currency, such as Bitcoin. Consequently, [attackers] want to fly under the radar and not be noticed. This type of 'mining' malware works in the background, often times going undetected."
Fricke says he's concerned that it may be possible for criminals to create a multi-purpose mining malware variant. "While it seeks out and infects systems running FTP services, what if it used that same compromised system to seek out other systems on the same company network running vulnerable services other than FTP - perhaps to exploit those non-FTP services for other reasons - such as distributing ransomware?"
Steps to Take
OCR urges organizations to take steps recommended by the SANS Institute to help prevent and detect cryptocurrency mining malware, including:
- Limit the ability of unauthorized users to access PC input/output systems that control the basic functions of the computer; also limit access to BIOS functions of computers in data centers and server rooms;
- Perform regular physical audits and checks for unauthorized equipment;
- Set up delivery and deployment processes to ensure only authorized access to equipment and facilities is permitted;
- Perform detailed network traffic analysis;
- Block all untrusted websites and only allow communication that is approved;
- Keep anti-malware software up to date;
- Use whitelists for applications and use software asset management applications;
- Perform real-time performance and system monitoring;
- Limit administrative privileges, change generic/shared user passwords and review access rights;
- Implement segregation or separation of duties.
Fricke stresses the importance of regularly reviewing electronic event logs of data network activity. "Logs may contain evidence that computers from countries with whom you are not doing business are attempting to or have successfully connected to your FTP services," he says.
Dan Berger, CEO of security consulting firm Redspin, recommends organizations take a number of precautions when using FTP services and NAS devices, including disabling certain types of access and setting appropriate permissions.
"Where a business or operational need requires file transfer over an untrusted network, such as the internet, we advise transitioning these services to more secure file transfer protocols, such as SFTP, and using private/public key pairs for user authentication," he says. "If this is not possible, the onus is on the organization to regularly review the contents of these hosts and use an updated anti-virus/malware scanner to detect malicious software that could put the users of these services at risk."
In addition, Herold suggests that organizations "follow a risk-based decision model for choosing FTP services and all other types of services involving data." That includes asking for documented, objective verification that the service has been appropriately secured, such as with a third-party audit, penetration test report, and/or vulnerability assessment report, she says.
Herold also urges organizations to "identify the types of NAS devices that are determined to be acceptable to use on the business network, then communicate that documentation to those who use the network and may obtain such services and devices. Do not allow other non-approved services or devices to be used on the network."
It's also important to educate end users about the risks, she says. "Provide training to all network and systems users," she advises. "Make sure all workers have a basic understanding of the security and privacy risks involved with such services and devices so that they can prevent using them in risky ways simply because they were not aware of the risks."