Time to audit the configuration of your public facing services?
There are now a eye watering 2.3 billion files exposed online, owing to the misconfiguration of commonly used file storage technologies. That’s according to digital risk specialist Digital Shadows – a sharp rise on the number it found last year.
Ninety-eight million of those are in the UK: up from 64 million in 2018. The company described some of the misconfigurations as “inexcusable”. The files exposed included “everything” a hacker would need for identify theft, including passport scans and financial information, personal medical data including prescriptions and worse.
San Francisco-based Digital Shadows used a proprietary file crawler to identify the number of files; which represents an increase of over 750 million since it carried out the the same study in 2018 – an annual increase of over 50 percent.
Nearly half of the files (1.071 billion) were exposed via the Server Message Block (SMB) protocol – a technology for sharing files first designed in 1983, the company said. Other misconfigured technologies including FTP services (20 percent), rsync (16 percent), and Network Attached Storage devices (3 percent).
The research team noted the SMB figure had nearly doubled year-on-year: “We’re not entirely sure why that’s the case, though there have been some updates that could be potential indicators. In June 2018, Amazon AWS Storage Gateway added SMB support allowing file-based applications which were developed for Microsoft Windows an easy way to store and access objects in Amazon S3.”
“In November 2018, threat intelligence published by Akamai’s threat research stated threat actors were intentionally opening SMB ports 139 and 445 for their malicious purposes. Could either of these reasons be to blame for the uptick?”
Ransomware: Locking Up the Backups?
Alarmingly, given that many of file stores are used to backup systems, Digital Shadows detected 17,141,587 ransomware-encrypted files to be exact.
One variant, in particular, caught the researchers’ attention; NamPoHyu, a ransomware strain discovered in April 2019 as an update to the MegaLocker variant.
This goes after vulnerable Samba servers; the open-source implementation of the SMB protocol that runs on Unix-based systems and allows for file communication to Windows operating systems. Digital Shadows found over 2 million files encrypted with the .nampohyu file extension, beginning around the first week of April 2019.
(Affected? Emsisoft has a free decryptor).
Files Exposed Online: New Amazon Feature Sends S3 Bucket Exposure Tumbling
One bright spot: Since Amazon introduced a new feature, “Block Public Access”, in November 2018, the overall exposure of S3 buckets has fallen dramatically, the “Too Much Information” report reveals: ” From the 16 million files we detected in October 2018 coming from S3 buckets, we are now detecting less than 2,000 files being exposed.”
Harrison Van Riper, an analyst with Digital Shadows’ external risk research team, Photon Research, said: “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant.”
“Countries within the European Union are collectively exposing over one billion files – nearly 50 percent of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”
Help? What Can I Do?
Guidance from Digital Shadows:
|Amazon Simple Storage Service (S3) buckets||– Using Amazon S3 Block Public Access to limit public access to buckets which are intended to be private is a simple way to reduce exposure.
– Enable logging through AWS to monitor for any unwanted access or potential exposure points that may have been missed on the initial configuration.
|Server Message Block (SMB)||– If possible, we recommend disabling SMBv1 as Microsoft has deprecated it since 2014. We know this is easier said than done, but readers are urged to consider updating to at least SMBv2 or v3.
– Furthermore, IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares.
– Advice for securing Samba servers is along the same lines as SMB, but more specifics can be found on the Samba website.
– Additionally, if the NamPoHyu ransomware has encrypted your files, a free decrypter is provided by Emsisoft
|rsync||– Beyond IP whitelists, if rsync is only used internally, then we recommend disabling port 837 for external device connections, as it is the default port for the service.
– If the data flowing with the help of the protocol is exposed to the internet (and, really, internally as well), then we recommend encrypting those communications.
|File Transfer Protocol (FTP)||– Use Secure FTP (SFTP) as an update to FTP – it’s over 30 years old at this point! SFTP adds the Secure Shell (SSH) protocol, encrypting the authentication information as well as the traffic itself.
– Be cognizant of the FTP server’s usage when deciding where to place it within the network. FTP servers are often placed behind a separate section of the network to allow for public access, but if public internet access isn’t needed for those files that are being stored, then why take the risk? Place it more securely behind your internal firewalls.
|Misconfigured Websites (WebIndex)||– This one is fairly straight forward; disable directory listing. Unless it’s explicitly required, we recommend disabling this feature.|
|Network-attached storage (NAS)||– Similar to FTP/SFTP servers, we recommend placing NAS drives internally behind a firewall and implementing access control lists to prevent unwanted access.
– Additionally, adding strong authentication (username/password) to gain access to the drive is ideal.
Digital Shadows told Computer Business Review that it identified the number of files exposed online by using a proprietary file crawler “optimised for the protocols used in our research. Making the tools scale for the entire internet and bringing the data together to provide evidence based, primary sourced, data driven findings is where the real challenge lies” a spokesman noted.
“To help us with this we use common dev-ops tools such as Kubernetes and Docker coupled with hosted Postgres, Google Pub/Sub, and the ELK stack.”