FBI Warning about Cyber-Vulnerable FTP Servers

April 2017

On March 22, 2017, the FBI released a Private Industry Notification warning medical and dental facilities about the vulnerability of File Transfer Protocol (FTP) servers operating in “anonymous” mode to cyberattack. Often a default setting, anonymous mode enables a user to access the FTP with a common username, either without using a password or by submitting a generic password or email address. According to research conducted by the University of Michigan, over 1 million FTP servers are configured to allow anonymous authentication.

Per the FBI’s guidance, cybercriminals are actively seeking out FTP servers in anonymous mode to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass or blackmail business owners, or to sell stolen information on the dark web. Hackers can also use an FTP server in anonymous mode and configured with “write” permissions to store malicious payloads and potentially incriminating content, laying the groundwork for ransomware or other sophisticated methods of cyber extortion.
The FBI recommends medical and dental facilities check their networks for FTP servers running in anonymous mode and either disable anonymous authentication or, if anonymous mode is necessary for legitimate business purposes, ensure sensitive PHI or PII is not stored on the server.

The FBI issues Private Industry Notifications, or PINs, in conjunction with private sector information and other government agencies, as a means to quickly share information with relevant entities. The PIN’s Traffic Light Protocol (TLP) designation—in this case, TLP: Green—indicates the level of sensitivity of the information shared and is used to facilitate greater collaboration between the private and public sectors. The government relies heavily on threat intelligence from the private sector to develop a clear picture of cyber adversaries and their intentions, and must balance disclosure of vital industry intelligence with data privacy needs. While this vulnerability of FTP servers to attack is not a new development, the issuance of the PIN suggests the FBI is investigating or has received evidence of an increase in this type of threat activity at medical and dental facilities.

For those hoping to see healthcare step out of the cyber limelight in 2017, early indicators suggest that is wishful thinking. Forrester Research predicts that, as a result of industry consolidation, fragmented security and the sheer volume of patient data housed, healthcare data breaches in 2017 will rival breaches in the retail industry both in terms of size and frequency. Cyberattacks of the ransomware variety are also predicted to increase. Ransomware attacks were cited by FBI Director James B. Comey as the biggest threat to healthcare providers during a keynote address at the 2017 Boston Conference on Cybersecurity. (Read our insights on ransomware here.)

But large healthcare insurer and provider conglomerates aren’t the only industry players vulnerable to attack, as the FBI’s latest PIN evidences. Small healthcare practices, which often rely on legacy IT systems and may lack basic cyber controls, are easy targets for cybercriminals on the hunt for quick, lucrative wins. According to data from IBM, small and mid-sized businesses are hit by 62 percent of all cyberattacks—about 4,000 attacks per day. The cost for post-data breach clean up? An average price of $690,000 for small businesses and over $1 million for middle market organizations.

Practicing good cyber hygiene to ensure the integrity of the network is critical for healthcare organizations of all sizes. A comprehensive technology risk assessment can help companies proactively identify and address vulnerabilities, as well as prioritize future cyber investments based on level of risk and exposure. Companies may also want to consider implementing the HITRUST CSF–the most widely adopted security framework in the U.S. healthcare market—to facilitate cyber readiness and HIPAA compliance. To augment the threat advisories issued by the FBI, qualifying organizations can sign up for free early warning notifications from the HITRUST Cyber Threat Xchange.

Companies facing elevated cyber risk, particularly smaller businesses that may not be high on regulators’ or law enforcement’s radars, are also encouraged to proactively establish a relationship with the local FBI office and/or participate in their local Infragard chapter.