- Cyber criminals are targeting File Transfer Protocol (FTP) servers, which may compromise PHI security and PII security, according to a recent FBI warning.
Citing research from the University of Michigan, the FBI explained that FTP servers were configured to allow anonymous access, which could expose sensitive data stored on the servers.
“The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or e-mail address,” the warning stated.
“While computer security researchers are actively seeking FTP servers in anonymous mode to conduct legitimate research, other individuals are making connections to these servers to compromise PHI and PII for the purposes of intimidating, harassing, and blackmailing business owners.”
Furthermore, cyber criminals could use an anonymous mode FTP server to allow “write” access to store malicious tools or even launch a targeted cyber attack.
“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud,” the FBI maintained.
The agency recommended that medical and dental healthcare entities request that their IT services check networks for FTP servers running in anonymous mode. If an organization has a “legitimate use” for operating in anonymous mode, the FBI urged that PHI and PII do not be stored on the server.
FTP security measures are essential to healthcare organizations, especially as covered entities continue to expand their data storage options.
OCR also urged healthcare organizations to take care in their FTP usage in its October 2016 Cyber Newsletter.
Starting in 2016, a network-attached storage (NAS) device began to fall victim to a serious type of malware that exploited the FTP service available on FTP servers, according to OCR. This included FTP services available on NAS devices.
“According to a recent report by Softpedia, Sophos, a computer security firm, gathered telemetry data that indicated 70 percent of a certain vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C (also known as PhotMiner),” OCR stated. “Sophos researchers claim that out of 7,000 of these NAS devices connected to the internet, 5,000 were infected with this malware by cybercriminals who also collected $86,000, in cryptocurrency like bitcoin and monero, from cryptocurrency mining related to this attack.”
The malware was also targeting FTP services and spreading to new machines by working toward brute-force attacks using a list of default credentials.
“This type of malware can affect an information system’s performance by eating up a system’s computing power, and slowing down other system processes,” OCR wrote.
OCR recommended that organizations adhere to guidelines from the Sans Institute to prevent such attacks. Along with regular physical audits and checks for unauthorized equipment, entities should limit the abilities of unauthorized users to access certain systems.
Organizations must also ensure that there is only authorized facilities and equipment access, especially during the setup delivery and deployment process.
It will also be important for entities to keep anti-virus and anti-malware software up to date, perform detailed network-traffic analysis, and block all untrusted websites so only approved communication occurs.
Installing and using crypto currency mining is easy, according to SANS.
“It is highly likely that there are many companies that have mining applications running in their environment without their noticing or knowing the financial and operational damage they may be causing,” the institute explained.
“A miner confirms the transactions on the crypto currency network and writes it into a general ledger. The general ledger is a block-chain or a long list of blocks. This is used to explore all transactions made at any point on the network. When a new block is created, it is added to the block-chain.”