Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information, FBI Warns

Bad guys exploit servers that allow anonymous access

In a private industry notification, the Federal Bureau of Investigation (FBI) has warned that “criminal actors” are actively targeting file transfer protocol (FTP) servers operating in “anonymous” mode and associated with medical facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.

According to the notification, research conducted by the University of Michigan in 2015 found that more than one million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers. The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username, such as “anonymous” or “ftp,” without submitting a password or by submitting a generic password or email address.

Individuals are making connections to these servers to compromise PHI and PII, according to the FBI. Cyber criminals could also use an FTP server in anonymous mode and configured to allow “write” access to store malicious tools or to launch targeted cyber attacks.

“In general, any misconfigured or unsecured server operating on a business network on which sensitive data are stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes, such as blackmail, identity theft, or financial fraud,” the notification said.

The FBI recommends that medical facilities request their respective information technology (IT) services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating an FTP server in anonymous mode, administrators should ensure that sensitive PHI or PII is not stored on the server.

Source: FBI; March 22, 2017.