While it would be difficult to find an IT manager who hasn’t heard in passing of this problem over the years, the scale is still enormous, and not just in the U.S.
“The FBI says in its warning that hackers seeking FTP servers were seeking to steal health and other personably identifiable information in order to intimidate and harass business owners.”
John Matherly, who created the Shodan search engine, which polls any responsive internet-connected devices, tweeted this week that Shodan found almost 757,000 FTP servers that allow anonymous access, meaning anyone can connect and poke around in a stash of files.
Shodan allows for very specific searches of internet-connected devices. Matherly posted a search query he crafted to look for systems responding to a specific port number, 21, and the number “230,” which is a status code for a successful anonymous login into an FTP server.
As of March 29, Shodan returns 756,874 results, of which roughly a third are in the U.S. Poland is in the No. 2 spot, with about 98,000 insecure servers, followed by Germany at 52,000, China at 50,000 and South Korea at 27,000.
Fortunately, insecure FTP servers are not as common as five or 10 years ago, says John Nye, vice president of cybersecurity strategies at CynergisTek, a security consultancy owned by Auxilio. “It’s old news really, but it’s still a problem,” Nye says.
Problems in Poland
Matherly’s overview of FTP with several charts reveals other interesting statistics. For example, of the 98,000 insecure FTP servers in Poland, nearly 91,000 were concentrated in the IP range of just one ISP, home.pl.
Just over 30,000 of Germany’s 52,000 insecure servers were within one hosting company, Domain Factory. In the U.S., the network with the most is Unified Layer.
The charts also show the most numerous insecure FTP servers by product type. The top one is Pure-FTPd, followed by Microsoft’s ftpd and PROftpd.
Pure-FTPd is an open-source project that dates from 2001. It’s designed to be a secure, lightweight FTP server. On its website, the product emphasizes the security protections in place.
“Kiddies are using common brute-forcing tools that are trying to discover hidden directories,” it reads. “Pure-FTPd provides a protection against this. Anonymous access is secure by default.”
It’s unclear why Poland has such a large number of insecure Pure-FTPd applications within just one hosting provider. It begs the question whether hosting providers are doing Shodan scans of their own IP ranges to spot problems.
That would be the most prudent way to nip issues in the bud since the operators already are customers and presumably easy to contact. But hosting is a business with thin margins, and most customers may be seeking the lowest costs rather than security support.
Nye was formerly chief penetration tester for CynergisTek, which is focused on the healthcare industry. As far as IT security, healthcare remains behind other industries in information security, he says.
“They’re starting to catch up, and they want to catch up,” Nye says. “They’re scrambling, but it’s especially bad because they don’t have the money. They have small IT staffs.”
Nye says he recently encountered a healthcare facility that used a pneumatic tube chute system to whisk around prescription medicines. It ran on a Windows 2000 system. “They had this ancient computer sitting on their network,” he says. “It was the only system they could use to run it.”
The FBI said in its warning that hackers seeking FTP servers were trying to steal healthcare and other personally identifiable information in order to intimidate and harass business owners.
A notable example of that from last year involved someone calling himself The Dark Overlord. He had remarkable success targeting healthcare organizations using Remote Desktop Protocol. Although he claimed to have a zero-day RDP exploit, the more likely reason for his success was either brute-force attacks using harvested credentials or guessing weak passwords (see ‘The Dark Overlord’ Advertises Stolen Source Code).
The FBI also noted open FTP servers are risky because they could be used to store malicious tools or as proxies to launch other attacks. There are also worse scenarios, such as the uploading of objectionable material on purpose.
“The owner of that is liable if they have stolen data or illegal data, or at least they’re going to have to deal with the police and explain what happened,” Nye says. “Having an anonymous FTP I do not believe could count as due diligence.”