2.3 billion files exposed across online file storage technologies
May 30, 2019
2.3 billion is a massive number. It’s hard even to wrap your head around; what do I have 2.3 billion of? Video games? No. Books? No. Dollars? …
Certainly not. What about files coming from various file stores on the internet? Not me, personally, but currently 2.3 billion files are being made publicly available by misconfigured and non-secured technologies used to store this data such as Amazon S3 buckets, Server Message Block (SMB), File Transfer Protocol (FTP) and rsync servers, as well as network-attached storage drives. This is an issue that Digital Shadows’ Photon Research Team initially brought to light in 2018 with our Too Much Information report, which detailed the discovery of 1.5 billion files. Well, one year and one massive data privacy regulation (GDPR) later, we’re back for the sequel: Too Much Information: The Sequel, to be exact.
2.3 billion files distributed across the globe
Photon analyzed across all of the exposed data, determining that the United States still had the highest amount of exposure for any single country, at more than 326 million files. France and Japan lead their regions, with 151 million and 77 million files exposed, respectively.
Also keeping with the trend from last year, the SMB protocol exposed the most data among the technologies we analyzed. FTP and rsync servers claimed 20 percent and 16 percent of the exposure detected, respectively. One good piece of news is that although Amazon S3 bucket exposure for the last year had increased overall, we see a decline in exposure following the release of a new feature called “Block Public Access,” which does exactly what you would think it does. It’s a significant step in the right direction, and we hope people take notice of this.
Health care data, PII, and third-party exposure to boot
Within Too Much Information: The Sequel, we highlight several case studies to give readers examples of the type of information exposed to the open internet, with no protection what-so-ever.
In total, we detected around 4.7 million medical-related files, some seemingly innocuous or at least not overtly sensitive, but others were patient records, doctors’ notes, and medical images like X-ray scans. Health care data is some of the most private that we have, and to expose this information without any protections is shocking.
We detected several instances of personal NAS drives openly storing things like job applications, passport scans, and asset documents, all of which contained sensitive, personally identifiable information for the individuals.
We also have yet another example of third-party exposure, with a small IT consulting firm exposing passwords for their client’s systems in plain text. We all need to be better about securing this data.
Millions of ransomware-encrypted files detected
It would appear threat actors are also attempting to monetize this exposure. Within our data set, Photon detected 2 million files were encrypted by the Samba server-targeting variant “NamPoHyu,” all within the last few months alone. In total, 17 million files had been held hostage by various ransomware variants. The best practice when it comes to ransomware infections is always to keep current backups – a line we’ve heard over and over again. However, what happens if even those files get encrypted by NamPoHyu or some other variant? Securing those backups is also crucial.
We conclude the paper, like all Photon Research reports, with mitigation advice on how to solve these issues, broken down by their technologies. In summary:
- Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.
- If possible, block ports 139 and 445 from the internet. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares. Also, usernames with complex passwords should be utilized.
- If only used internally, block port 837 to disallow any external connections to rsync servers.
- Use SSH File Transfer Protocol (SFTP) as an update to FTP which adds SSH encryption to the protocol.
- As with FTP servers, network attached storage (NAS) drives should be placed internally behind a firewall, and access control lists should be used to prevent unwanted access.