WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Originally published May 2019
2.3 billion is a massive number. It’s hard even to wrap your head around; what do I have 2.3 billion of? Video games? No. Books? No. Dollars? …
Certainly not. What about files coming from various file stores on the internet? Not me, personally, but currently 2.3 billion files are being made publicly available by misconfigured and non-secured technologies used to store this data such as Amazon S3 buckets, Server Message Block (SMB), File Transfer Protocol (FTP) and rsync servers, as well as network-attached storage drives. This is an issue that Digital Shadows’ Photon Research Team initially brought to light in 2018 with our Too Much Information report, which detailed the discovery of 1.5 billion files. Well, one year and one massive data privacy regulation (GDPR) later, we’re back for the sequel: Too Much Information: The Sequel, to be exact.
One full year has passed since Digital Shadows’ Photon Research Team looked at the data exposure landscape among online file storage technologies like Server Message Block (SMB) file shares, rsync servers, and Amazon Simple Storage Service (S3) buckets. There are now 750 million more files exposed than we reported last year; not all of them are blatantly sensitive, but there is plenty of gold in these mountains. Several developments over the past year have had an effect—positive and negative—on the data exposure landscape, prompting Photon to re-examine what files are still exposed and updates within the landscape.
Some of our key findings:
As of May 16, 2019, there are over 2.3 billion files exposed across online files stores like Amazon S3 buckets, SMB-enabled file shares, and NAS drives. Let that number sink in (we’ll wait) …2.3 billion. To give some perspective, that’s the amount in dollars that the latest Marvel movie spectacle Avengers: Endgame raked in at the box office within three short weeks of its release. We promise there are no spoilers in this report.
In Photon’s research for our Too Much Information report published last year, we spotted just over 1.5 billion files, thinking that alone was incredible. Using the same proprietary research technology, we’ve now detected an additional 750 million files. Last year the United States had the highest amount of exposure across online file repositories and, well, not much has changed in that respect. Our aim isn’t to place blame on any one country for the massive amount of file exposure, but there’s a healthy spread of light criticism to go around. While the United States left over 326 million files exposed, France accounted for 151 million of its own files, the United Kingdom claimed 98 million, and Japan was responsible for 77 million. As we said last year, this is a global problem that is getting even more out of hand. Countries nestled in the European continent collectively exposed the highest number of files, accounting for over 1 billion (ahem…GDPR), with another 400 million coming from the Asia-Pacific region and 590 million from across the Americas.
Figure 1: Geographic distribution across most of the file storage technologies analyzed.
Across those 2.3 billion files, nearly 50 percent (okay, 46 percent, to be specific) were exposed through SMB file shares: 1.071 billion files, representing a 547.6 million file increase. This takes a much bigger “chunk of the pie” than the other sources, when you look at the data laid out in Figure 2. Although rsync and FTP accounted for less of the overall exposure, only exposed rsync files actually decreased since last year, to 53.7 million files. FTP-hosted files increased by over 54 million, essentially cancelling out rsync’s decline.
Amazon S3 buckets, WebIndexes, and NAS drives also increased their overall exposure in the past year—by 79.7 million, 103 million, and 19.9 million files, respectively. But one of the main points from last year still stands true, looking at the pie chart below: Even though Amazon S3 buckets had the lion’s share of bad press and media coverage, there’s much more to the story than those caches alone.
The fact that SMB-enabled file share exposure nearly doubled in the past year is troubling for a couple of different reasons. Reason #1: We’re not entirely sure why that’s the case, although there have been some updates that could be potential indicators. In June 2018 Amazon AWS Storage Gateway added SMB support that allowed file-based applications developed for Microsoft Windows an easy way to store and access objects in Amazon S3. In November 2018 threat intelligence published by Akamai stated that threat actors were intentionally opening SMB ports 139 and 445 for their malicious purposes. Could this be blamed for the uptick? Reason #2 will come later.
Overall, each of the source types we assessed, whether FTP servers, misconfigured websites (WebIndex), or NAS drives, increased their overall exposure counts from last year. The issue of accidental exposure has never been more real. Photon set out to detail not only the kinds of data floating around in the Internet ether but why their exposure is an issue.
Figure 2: Overall file storage exposures by percentage and number.
Ah, ransomware…the never-ending extortion trend. The troubles and woes that ransomware can cause to businesses and individuals are well documented, starting with attackers encrypting files and holding them for “ransom”, and promising a decryption key once the victim pays the attacker, typically in Bitcoin. The standard mitigation the security community advises for those fearing a ransomware attack is to back up your files so that, in case you’re infected, you can quickly revert to saved copies and avoid downtime or payments to the attackers. But what if your backups have been encrypted by either the same variant that locked you out of your system or another variant entirely?
Figure 3: Detected files encrypted by the NamPoHyu ransomware over time.
We detected millions of ransomware-encrypted files across the various file stores that are often used to back up systems; 17,141,587, to be exact. One variant, in particular, caught our eye: NamPoHyu. It was discovered in April 2019 as an update to the MegaLocker variant, and targets systems a little differently than traditional ransomware, by going after vulnerable Samba servers. Side note: Samba is the open-source implementation of the SMB protocol that runs on Unix-based systems and allows for file communication to Windows operating systems. We couldn’t find any numbers to suggest how widespread this ransomware may be, so we found some ourselves: Over 2 million files have been encrypted with the .nampohyu file extension, beginning around the first week of April 2019. Backing up data is not the only solution to the problem of ransomware: Secure those backups, too.
As a bonus for Digital Shadows fans, you’ll recall in our previous paper A Tale of Epic Extortions, the Photon team detailed how the “SamSam” ransomware operators gained access to victims’ networks and held sensitive data hostage. As the analysis of our ransomware data continued, one particular file extension, .otherinformation, seemed familiar. It is, in fact, a known extension added to files that have been encrypted by the SamSam ransomware. As we combed through the data using other known extensions associated with SamSam, we detected more instances of SamSam infections that hadn’t been reported publicly. In one instance, a small university in California was infected, in January 2017, and another victim was a digital marketing firm for the automotive industry. Although this discovery is somewhat moot, due to the November 2018 United States Department of Justice indictments of the two alleged Iranian perpetrators of the SamSam attacks, it’s an exciting finding, regardless.
Healthcare data collected by hospitals—like patient diagnoses, medical images, and operational data—should be some of the most secured information, end of story. Stolen finances can be reclaimed and passwords to accounts can be changed, but profoundly personal information about your health can’t be rehabilitated with a few keystrokes. Unfortunately, there are about 4.7 million medical-related files exposed online through the file repositories we analyzed. Most of them are DICOM1 (.dcm) medical imaging files—about 4.4 million, which is double the number we saw last year (2.2 million).
As with all of the cases we discuss in this paper, not every single one of the exposed files is going to contain something sensitive. However, the sheer amount of information exposed illustrates the extent of individuals’ privacy violations, and of regulations like HIPAA2 in the United States. DICOM files were the most abundant type found, but there were others; among the 300,000 or so found were Health-Level 7 (HL7) and the HIPAA healthcare transaction format X12.
1. Digital Imaging and Communications in Medicine 2. Health Insurance Portability and Accountability Act of 1996
Photon discovered an open FTP server that belonged to an unwitting individual and contained everything an attacker would need to conduct identity theft: job applications, personal pictures, passport scans, and bank statements, all completely open for the world to see. Even though businesses are often the loudest voices regarding financial crimes and are likely responsible for a lot of the data currently exposed, this instance highlights the profoundly personal side of the issue. If an attacker wanted to gain access to this individual’s bank account, they’d need to perform only minor social engineering of the victim’s bank, as all the information they would need is entirely accessible. This could be devastating to them or their family if they don’t catch the fraud in time or are simply unaware that it’s happening. Applying for loans, directly stealing money from a bank account, or selling the information online are just a few ways that criminals could monetize this exposure.
There’s been a boatload of discussion about third-party and supply-chain risk these days, and it’s easy to see why. Companies look to third parties to grow their businesses as their digital footprints continue to grow and expand online. In its annual report Data Risk in the Third-Party Ecosystem, Ponemon Institute surveyed over 1,000 security practitioners in the United States and United Kingdom, finding that 59 percent of their organizations had been hit by a data breach because of a third party.
Take IT management, for example. A construction company that manages building projects day to day may not have the expertise to deal with various technologies or operate securely enough to protect their employees and business from the various threats that exist. So, being the responsible individuals they are, the managers hire an IT management consulting firm to support their employees and enable the business to scale to the demands from their clients. But what if that consulting firm isn’t securing the documents created for the construction company? They could easily become victims in the same way a small IT consulting company in the United Kingdom did recently: More than 212,000 files were exposed by a third party, showing not just their firm’s information, but details of their clients, too. What might be the most frightening is the password lists that were found for various clients of their company—in plaintext. Furthermore, we spotted two instances in which the password lists included the passcode to the individual’s cell phone.
Figure 4: Number of files being exposed by Amazon S3 buckets over the past year.
Now let’s get into some of the good news. There’s a lot of data out there, but many brilliant people have been working hard to try to cap the steady outflows. In November 2018 Amazon introduced Amazon S3 Block Public Access, which further locked down the default security controls for Amazon S3 buckets. Amazon S3 users can now easily set global block rules for private files, which is great! Data privacy FTW.
The data Photon gathered suggests this S3 feature has made a noticeable difference in the data exposure landscape. The massive spike seen in Figure 4 occurred just before the Block Public Access implementation, and you can see that since November there has been a significant decrease in the number of publicly accessible S3 buckets. That large, pre-feature spike represents just over 16 million S3 files. And now? The exposure hardly even registers on the same chart. On May 16, 2019 we detected 1,895 open buckets, but this is a far cry from the state that S3 buckets were in just a year or two ago. Nice work, everyone.
Earlier in 2018, Microsoft also took a bold initiative and stopped pre installing SMBv1 in Microsoft Windows 10 and Windows Server. However, it’s hard to tell what the full impact of this has been. For starters, Photon’s data collection includes all versions of SMB, not distinguishing between v1, v2, or v3. Additionally, far too many businesses are still running older versions of Microsoft Windows for various reasons. We’re not blaming any of you—it’s okay to run older operating systems—but this is the kind of update you miss out on when you do that. Kudos to Microsoft for removing SMBv1 from the pre-install list. (Baby steps)
One of the biggest questions we wanted to answer in this follow-up paper was: How has the enactment of the EU’s GDPR affected the data exposure landscape? GDPR enforcement came into effect at the end of May 2018, so we shouldn’t see anything in our data coming from an EU member state, right? At least, nothing sensitive? Of course, GDPR is much more complicated than that; the short answer is that we have seen some progress but are still a long way off.
There has been so, so much discussion about the effects of GDPR on companies and how everyone processes data for EU citizens. Now that we are a year into enforcement, are we seeing less exposure of this data? Unfortunately, we detected 883 million exposed files. Within the United Kingdom, specifically, 43.5 million more files have been exposed in the year since GDPR came into effect, and 262 million more among all of the EU member states. Out of those 28 members, only two experienced a drop in the number of files exposed: Luxembourg and the Netherlands. Why were they the only two? And does this somehow show that regulations and compliance don’t work to combat this issue?
Luxembourgian (yes, that’s how you say it) data exposure has decreased by 28 percent since the GDPR landed, which you can see in Figure 5. There also seems to have been a pretty significant downward trend beginning around late August to mid-September 2018. It’s worth drilling into the details here, to see if there’s any cause for this.
Figure 5: Number of Luxembourg-based files being exposed over time
Two data privacy laws were implemented in Luxembourg on August 1, 2018 and came into effect a few weeks later, on August 20. For this member state of the EU, the laws were designed to bring Luxembourg in line with the GDPR. They repealed the previous data protection law from 2002 and outlined the general data protection framework that the country would operate under. They also established the National Data Protection Commission, outlining that body’s composition and granting it the powers required to align with the GDPR. Now, we’re not saying this has erased Luxembourg’s data exposure, but it does appear to be having an effect. Luxembourgers (also correct) appear to be “straightening their ties”, attempting to come into compliance with the GDPR. Good work.
Figure 6: Number of Netherlands-based files being exposed over time
Post-GDPR enactment, the Netherlands has decreased its exposure by 8 percent, which is a solid effort. Policy makers were ahead of the curve: starting the legislative process for the Dutch GDPR Implementation Act in December 2017; publishing the law on May 22, 2018; and beginning to apply it on May 25, 2018. The data suggests that, at least for this year, the Dutch are trending in the right direction. Right on time!
Let’s look beyond these sole two examples of EU countries with decreased overall exposure, to the other end of the spectrum: France. Of all the EU member states, France has the greatest file exposure (the second greatest worldwide), sitting pretty at over 151.6 million files. In June 2018 France enacted a law that updated a law from 1978, but it didn’t bring the country sufficiently up to speed for GDPR. In December 2018 legislators adopted Order No. 2018-1125, going into effect on June 1, 2019, which is essentially a set of laws and updates relating to data protection that would more firmly align France with the GDPR. We’re not saying that laws or regulations are the end-all, be-all solutions to data exposure; obviously, there’s much more to it than that. However, these three examples do suggest there’s at least some correlation. Here’s hoping that ongoing updates in the GDPR landscape put a patch on at least some of those leaky buckets.
With great data comes great responsibility (to secure it). Accidental data exposure is a problem that won’t just go away. What’s become obvious over the past year, since our first paper on the subject, is that taking action can bring down the body count when it comes to files stored online. From a practical point of view, what can you do? First of all, forget that you turned a blind eye over the last 12 months; to err is human. Below are some ideas that can help reduce some of the data exposure we’ve witnessed and maintain a safe distance away from any newspaper headlines. But remember, also, that behind every great information security plan is a foundation of educated users acting on their best behavior.
To stay up to date with the team’s latest threat intelligence and security research, make sure to subscribe below.