‘Anonymous’ FTP Servers Leaving Healthcare Data Exposed

The FBI warned medical and dental offices running FTP servers in anonymous mode that criminals are targeting these installations and stealing personal healthcare information.

Hackers craving personal health care information are targeting exposed FTP servers.

The FBI issued a warning last week that focused on an increase in criminal activity targeting FTP servers used by medical and dental organizations that are configured to allow anonymous access without authentication.

“The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or e-mail address,” the FBI bulletin said. “While computer security researchers are actively seeking FTP servers in anonymous mode to conduct legitimate research, other individuals are making connections to these servers to compromise PHI and PII for the purposes of intimidating, harassing, and blackmailing business owners.”

Medical data and the healthcare industry has been in the crosshairs of cybercrime since the transition to electronic health care data began in earnest. Healthcare officials have been urged to lock down access to patient data and medical devices critical to patient care.

This hasn’t stopped criminals from successfully attacking health care networks with ransomware, or targeting hospitals or connected medical equipment vital to care in healthcare facilities.

The exposed FTP servers, the FBI warns, could also be used as a launchpad for other attacks against the network.

‘Cyber criminals could also use an FTP server in anonymous mode and configured to allow ‘write’ access to store malicious tools or launch targeted cyber attacks,” the FBI said. “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”

FTP servers are just the latest weak spot when it comes to exposed services online. Most of the attention-grabbing news of late has been concentrated around open databases and poorly protected IoT and embedded connected devices.

A rash of MongoDB attacks in the past 12 months has left a number of enterprises and commercial businesses reeling. Attackers are using automated attacks to find the installations secured with weak or default credentials before copying and deleting data stored on these instances and demanding a ransom for their return.

Researchers count more than 56,000 exposed MongoDB databases, and believe that close to half have been attacked and held hostage. This phenomenon isn’t confined to MongoDB; 58 percent of 18,000 Elasticsearch servers were attacked and held for ransom while 10 percent of 4,500 exposed CouchDB servers were attacked.

Healthcare data, meanwhile, has been coveted for much longer. Last June, a Dark Web site was selling 655,000 healthcare records that were stolen using exploits for a vulnerability in RDP implementations in three medical organizations.

The FBI asks healthcare organizations to report any intrusions to local field offices, or its Cyber Watch (CyWatch) outfit. In the meantime, the FBI advises admins to inventory their FTP servers for any running in anonymous mode.

“If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server,” the FBI said.

Suggested articles