The FBI issued Private Industry Notification 170322-001 to smaller heath care offices about how cybercriminals are using an old method involving an FTP server to gain access to personally identifiable information (PII) about patients. The notification was launched March 22, 2017.

The warning focused on the file transfer protocol (FTP), an early way to share files remotely over the internet. Client programs would directly access servers that understood FTP and exfiltrate requested files. This method was largely made obsolete by more convenient file transfer methods.

However, the FBI cited 2015 research from the University of Michigan, which stated that 1 million FTP servers have been configured to allow anonymous access. And last year, security researcher Minxomat found about 800,000 anonymous FTP services were exposed, Network World noted.

Accessing Information With an FTP Server

Anonymous FTP, as it is called, does not require any authentication before granting access to the files on the system. It has long been recommended that a server with this service host only public files.

But smaller health care offices may use older, less sophisticated systems that could have been either misconfigured or not properly maintained. These offices may also have a limited understanding of what required routine maintenance entails; they could have anonymous FTP enabled by default, as opposed to a larger provider that has upgraded and tweaked its system.

The FBI warned that although the PII on these less sophisticated systems is of value, cybercriminals may just want the network access to carry out their own plans. While the personal health information (PHI) stored on these systems is protected by HIPAA statute and could be used maliciously by bad actors, it’s not the only issue associated with anonymous FTP.

Bad actors could warehouse the files used in malware distribution schemes in these convenient FTP silos, for example. Using these compromised systems in some distributed denial-of-service (DDoS) attacks might be expected as well.

Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, told CSO Online that he doesn’t even use non-anonymous FTP, since it is so dangerous and dated. He doesn’t see it used much these days, and if he does, it is usually an out-of-date implementation — such as a larger office whose forgotten implementation remains up because it just was never removed.

FBI Recommendations

The FBI recommended that health care entities contact their respective IT services personnel to scan office networks for anonymous FTP servers. Should the office have a legitimate use for operating a FTP server in anonymous mode, administrators must ensure that sensitive PHI or PII will not be stored on the server. If the FTP server is not needed, then the prudent course of action would be to shut it down so it can’t be used to create an attack vector.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker is cracking…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…