The FBI issued Private Industry Notification 170322-001 to smaller heath care offices about how cybercriminals are using an old method involving an FTP server to gain access to personally identifiable information (PII) about patients. The notification was launched March 22, 2017.

The warning focused on the file transfer protocol (FTP), an early way to share files remotely over the internet. Client programs would directly access servers that understood FTP and exfiltrate requested files. This method was largely made obsolete by more convenient file transfer methods.

However, the FBI cited 2015 research from the University of Michigan, which stated that 1 million FTP servers have been configured to allow anonymous access. And last year, security researcher Minxomat found about 800,000 anonymous FTP services were exposed, Network World noted.

Accessing Information With an FTP Server

Anonymous FTP, as it is called, does not require any authentication before granting access to the files on the system. It has long been recommended that a server with this service host only public files.

But smaller health care offices may use older, less sophisticated systems that could have been either misconfigured or not properly maintained. These offices may also have a limited understanding of what required routine maintenance entails; they could have anonymous FTP enabled by default, as opposed to a larger provider that has upgraded and tweaked its system.

The FBI warned that although the PII on these less sophisticated systems is of value, cybercriminals may just want the network access to carry out their own plans. While the personal health information (PHI) stored on these systems is protected by HIPAA statute and could be used maliciously by bad actors, it’s not the only issue associated with anonymous FTP.

Bad actors could warehouse the files used in malware distribution schemes in these convenient FTP silos, for example. Using these compromised systems in some distributed denial-of-service (DDoS) attacks might be expected as well.

Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, told CSO Online that he doesn’t even use non-anonymous FTP, since it is so dangerous and dated. He doesn’t see it used much these days, and if he does, it is usually an out-of-date implementation — such as a larger office whose forgotten implementation remains up because it just was never removed.

FBI Recommendations

The FBI recommended that health care entities contact their respective IT services personnel to scan office networks for anonymous FTP servers. Should the office have a legitimate use for operating a FTP server in anonymous mode, administrators must ensure that sensitive PHI or PII will not be stored on the server. If the FTP server is not needed, then the prudent course of action would be to shut it down so it can’t be used to create an attack vector.

More from

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…