March 30, 2017 By Larry Loeb 2 min read

The FBI issued Private Industry Notification 170322-001 to smaller heath care offices about how cybercriminals are using an old method involving an FTP server to gain access to personally identifiable information (PII) about patients. The notification was launched March 22, 2017.

The warning focused on the file transfer protocol (FTP), an early way to share files remotely over the internet. Client programs would directly access servers that understood FTP and exfiltrate requested files. This method was largely made obsolete by more convenient file transfer methods.

However, the FBI cited 2015 research from the University of Michigan, which stated that 1 million FTP servers have been configured to allow anonymous access. And last year, security researcher Minxomat found about 800,000 anonymous FTP services were exposed, Network World noted.

Accessing Information With an FTP Server

Anonymous FTP, as it is called, does not require any authentication before granting access to the files on the system. It has long been recommended that a server with this service host only public files.

But smaller health care offices may use older, less sophisticated systems that could have been either misconfigured or not properly maintained. These offices may also have a limited understanding of what required routine maintenance entails; they could have anonymous FTP enabled by default, as opposed to a larger provider that has upgraded and tweaked its system.

The FBI warned that although the PII on these less sophisticated systems is of value, cybercriminals may just want the network access to carry out their own plans. While the personal health information (PHI) stored on these systems is protected by HIPAA statute and could be used maliciously by bad actors, it’s not the only issue associated with anonymous FTP.

Bad actors could warehouse the files used in malware distribution schemes in these convenient FTP silos, for example. Using these compromised systems in some distributed denial-of-service (DDoS) attacks might be expected as well.

Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, told CSO Online that he doesn’t even use non-anonymous FTP, since it is so dangerous and dated. He doesn’t see it used much these days, and if he does, it is usually an out-of-date implementation — such as a larger office whose forgotten implementation remains up because it just was never removed.

FBI Recommendations

The FBI recommended that health care entities contact their respective IT services personnel to scan office networks for anonymous FTP servers. Should the office have a legitimate use for operating a FTP server in anonymous mode, administrators must ensure that sensitive PHI or PII will not be stored on the server. If the FTP server is not needed, then the prudent course of action would be to shut it down so it can’t be used to create an attack vector.

More from

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today