Cybercriminals prefer the easy way in, like a server with default username/password combinations or a software flaw. In the case of the Guilford County, North Carolina Emergency Medical Services (EMS) Department, the open Rsync server that manages system updates opened the door for malicious actors.
As noted by CSO Online, security researcher Chris Vickery discovered the publicly accessible system. While the county moved quickly to address the obvious threat, a clean bill of technology health may require more in-depth treatment.
Open Rsync Servers Put Lives at Risk
It all started when Vickery went looking for exposed Rsync servers. He found quite a few. Despite the prevalence of threats and compromised systems, many companies don’t recognize the risk of leaving Rsync servers out in the open.
In the case of Guilford County, Vickery assumed he’d run across an enterprise backup server until he found the administrator password. He discovered that he could both access local EMS services individually and prompt users to perform system updates while using in-vehicle computer systems.
While the county quickly changed admin passwords and pulled the server from public view, a statement noted that the system was only used to update files and stored no other information. In addition, the county said no unauthorized personnel had accessed the Rsync server.
Two problems crop up here: First, Vickery accessed the server without authorization, meaning there should be some record of his interaction with the EMS systems.
More importantly, however, is the second issue of system updating. If cybercriminals could gain admin access and prompt a fake update, it’s hardly a stretch of imagination to assume they could also craft a set of malicious files to upload in place of legitimate system patches. The potential results range from stolen personal data to a complete crash of the EMS system, putting more than 500,000 Guilford County lives at risk.
As Vickery noted, companies don’t willfully expose critical data or systems but may sacrifice security because IT teams are overworked and underfunded. Anything goes, from using free antivirus software to leaving noncritical servers on public connections, so long as organizations can still conduct day-to-day operations.
The Guilford County open Rsync issue isn’t just a one-time thing. As noted by MSP Mentor, a recent “botched” server installation exposed 31,800 private health records to the public when default settings weren’t changed during deployment, forcing a health care provider to shell out over $2 million for violating the Health Insurance Portability and Accountability Act (HIPAA).
Other concerns for enterprises include publicly accessible remote desktop protocol (RDP) servers, which can be compromised to install malicious Trojan software and collect high-value corporate data.
The treatment plan here is improved server best practices. No matter the industry or the purpose, servers should always be pulled off the public grid and have default settings, usernames and passwords changed.
Cybercriminals have proven repeatedly that theoretically unimportant or trivial server functions can be used as initial compromise points and leveraged to gain access. Publicly accessible means potentially compromised. Stay out of harm’s way by keeping servers out of sight.