In an alert sent to medical and dental healthcare entities, the FBI is asking organizations to mind and secure their FTP servers in the face of hackers trying to get protected health information (PHI) and personally identifiable information (PII).
The FBI says hackers are using information they find on unsecured FTP servers to "intimidate, harass, and blackmail business owners."
The Agency's alert is consistent with reports in the infosec community. During the past year, the attacks on healthcare organizations have increased. One particular hacker, known as TheDarkOverlord has been extremely active.
The FBI’s alert – a PIN (Private Industry Notification) – specifically mentions unsecured (anonymous) FTP servers that allow anyone to connect with the “anonymous” or “ftp” username, and with no password.
The PIN alert even cites research published by the University of Michigan in 2015, titled “FTP: The Forgotten Cloud,” in which researchers revealed they discovered one million anonymous FTP servers exposed on the Internet.
In September 2016, a security expert nicknamed Minxomat reproduced the same research, but despite the passage of nearly two years, the number of exposed anonymous FTP servers has remained at high levels, the researcher finding 796,578 FTP servers exposed on the IPv4 address space.
Besides leaking critical user and company data, the FBI also said crooks could also use these exposed FTP boxes to store malicious files in malware distribution schemes or hijack the machines for DDoS attacks.
For one person, the FBI’s alert is more painful than for most. This person is Justin Shafer, a dental software researcher.
The FBI raided Shaffer’s home in 2016 after the researcher found unencrypted patient data exposed on a healthcare company’s FTP server. Instead of thanking the researcher for his findings, the company complained to the FBI, claiming Shaffer hacked their server when in reality the data was left exposed to anyone that had the time to look for it.