You read that right. An astonishing 2.3 billion files were made publicly available recently and distributed around the globe by misconfigured and non-secured technologies used to store this data such as Amazon S3 buckets, Server Message Block (SMB), File Transfer Protocol (FTP) and rsync servers, as well as network-attached storage drives.
Based on an analysis from a strategic partner of Guard Street, it has been determined that the United States still had the highest amount of exposure for any single country, at more than 326 million files. France and Japan lead their regions, with 151 million and 77 million files exposed, respectively.
The SMB protocol exposed the most data among the technologies analyzed. FTP and rsync servers claimed 20 percent and 16 percent of the exposure detected, respectively. One good piece of news is that although Amazon S3 bucket exposure for the last year had increased overall, we see a decline in exposure following the release of a new feature called “Block Public Access,” which does exactly what you would think it does. It’s a significant step in the right direction and we hope people take notice of this.
Health care data, PII, and third-party exposure
Our strategic partner also researched the type of information exposed to the open internet, with no protection what-so-ever.
In total, they detected approximately 4.7 million medical-related files, some seemingly innocuous or at least not overtly sensitive, but others were patient records, doctors’ notes, and medical images like X-ray scans. Health care data is some of the most private that we have and to expose this information without any protections is shocking.
They detected several instances of personal NAS drives openly storing things like job applications, passport scans and asset documents, all of which contained sensitive, personally identifiable information for the individuals.
They also found another example of third-party exposure, with a small IT consulting firm exposing passwords for their client’s systems in plain text. We all need to be better about securing this data.
Millions of ransomware-encrypted files detected
It appears that threat actors are also attempting to monetize this exposure. Our strategic partner detected 2 million files were encrypted by the Samba server-targeting variant “NamPoHyu,” all within the last few months alone. In total, 17 million files had been held hostage by various ransomware variants. The best practice when it comes to ransomware infections is always to keep current backups – a line we’ve heard over and over again. However, what happens if even those files get encrypted by NamPoHyu or some other variant? Securing those backups is also crucial.
How to solve these issues for the following technologies:
- Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private.
- Enable logging through AWS to monitor for any unwanted access or potential exposure points.
- If possible, block ports 139 and 445 from the internet. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares. Also, usernames with complex passwords should be utilized.
- If only used internally, block port 837 to disallow any external connections to rsync servers.
- Use SSH File Transfer Protocol (SFTP) as an update to FTP which adds SSH encryption to the protocol.
- As with FTP servers, network attached storage (NAS) drives should be placed internally behind a firewall, and access control lists should be used to prevent unwanted access.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails and schedule a demo here. Or, go to www.guardstreetcyberpro.com.
