The FBI’s cyber division notified the private industry that cyber criminals are targeting File Transfer Protocol (FTP) servers in order to get their hands on protected health information (PHI). FTP is a protocol used to transfer data between network hosts. The FTP servers these criminals are targeting are usually FTP anonymous authentication servers, are associated with medical and dental facilities, and handle PHI and personally identifiable information (PII), the FBI’s notification said. The FBI explained that the reason these criminals are targeting FTP is to not only get their hands on PHI, but also to intimidate, harass and blackmail the business owner(s).
When an organization has set their FTP servers to operate in anonymous mode, the FBI explained that this means the FTP server has been configured to allow anonymous access. Therefore, a user can authenticate to the FTP anonymous authentication server with a common username such as “anonymous” and they are not required to submit a password or e-mail address. This can potentially expose sensitive data stored on the servers. The FBI cited research conducted in 2015 by the University of Michigan called “FTP: The Forgotten Cloud” where researchers found that over 1 million FTP servers were configured to allow anonymous access.
The FBI added that cyber criminals could also attack an FTP anonymous authentication server that not only allows anonymous access but may also allow “write” access to store malicious tools or launch targeted cyberattacks.
Having an FTP server configured in either of these ways exposes that business to potential data theft and may be compromised by cyber criminals, the FBI said.
The FBI recommends that medical and dental healthcare organizations request their IT services personnel check networks for FTP servers running in anonymous mode. And if an organization has a legitimate reason for operating FTP servers in anonymous mode– for example, if certain documents needs to be made readily available to the public– administrators should ensure sensitive PHI and PII are not stored on that server.