2.3 billion files are currently exposed and accessible through misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets to anyone on the internet. That’s 750 million more than 12 months ago, and despite Amazon’s largely successful attempts to limit the exposure of its S3 buckets.
“Not all of them are blatantly sensitive, but there is plenty of gold in these mountains,” note researchers from Digital Shadows.
The latest analysis from Digital Shadows’ Photon Research Team shows that the U.S. remains the single largest national culprit with more than 326 million files exposed — although this is dwarfed if the EU is treated as a single bloc (883 million files). The latter figure is particularly interesting. Like many other recent surveys, it shows that GDPR is yet to have a significant overall effect on data protection within Europe — in fact, the EU’s data exposure increased by 262 million files.
Just two countries in the EU have shown an improvement over last year: The Netherlands (down 8%) and Luxembourg (down 28%). The Photon researchers conjecture that this European disparity may have something to do with national data privacy laws coming into alignment with GDPR — it happened in August 2018 in Luxembourg, and the country’s improvement followed soon after. They also point to France, which has the second highest national exposure to the U.S. France, currently with 151.6 million exposed files, is still in the process of aligning national laws, which won’t be complete until June 2019.
This is not confirmed by the UK, however. The UK’s Data Protection Act 2018 — the UK’s implementation of GDPR — came into effect two days before GDPR itself came into force: 23 May 2018. Since then, the UK’s data exposure has increased by 43.5 million files to 98 million.
File exposures primarily occur through the Server Message Block (SMB) protocol, FTP and rsync servers, and to a lesser degree, Amazon S3 buckets. SMB is the worst offender, accounting for 46% of all exposed files; that is, 1.071 billion individual files, showing a 547.6 million file increase over last year. FTP accounts for 20%, and rsync for 16%.
In November 2018, Amazon introduced a new feature called ‘Block Public Access‘. This appears to be working. “From the 16 million files we detected in October 2018 coming from S3 buckets, we are now detecting less than 2,000 files being exposed,” say the researchers.
The SMB figures, however, are particularly worrying — not just because of the volume, but because they are now clearly in the sights of cyber criminals. SMB is commonly used for company backups. Backup is the most recommended solution to ransomware encryption. Criminals are now targeting and encrypting SMB files that may be company backups — presumably with the intent to later target the company itself.
Interfering with backups was an approach notoriously and effectively used by the SamSam ransomware, and now seems to be a methodology adopted by other criminals. It has recently been reported that one particular ransomware, NamPoHyu, has been targeting Samba servers (Samba is an open source implementation of SMB running on Unix servers).
NamPoHyu is an update to the MegaLocker ransomware and was first detected in April 2019. “We couldn’t find any numbers to suggest how widespread this ransomware may have reached,” say the researchers, “so we found some ourselves. Over 2 million files had been encrypted with the .nampohyu file extension, beginning around the first week of April 2019.”
There is now a decryptor for MegaLocker/NamPoHyu developed by Emsisoft and available from the NoMoreRansom project. However, Emsisoft notes that the decryptor requires an original ransom note from the criminals — so it is not at all clear whether these encrypted backups are recoverable.
But the researchers detected more than just NamPoHyu’s 2 million encrypted files. “We detected millions of ransomware-encrypted files across various file stores which are often used to back up systems; 17,141,587 to be exact.” The implication is that more than one ransomware gang is at work here, and that unless something is done now, organizations relying on their backups to thwart ransomware will find themselves with no defense. Backup alone is not enough — it must be secure backup.
While ransomware illustrates a major threat to businesses exposing their files to the internet (along with GDPR and HIPAA sanctions), the primary threat has always been to individuals who have personal data that could be leaked to criminal gangs. There have been many high-profile cases of major database exposures containing large amounts of personal information. However, personal data exposure isn’t limited to large organizations. The researchers found the FTP server of a single Dutch individual.
“The open server,” note the researchers, “had job applications, personal pictures, passport scans, and bank statements for the individual, completely open for the world to see. Even though businesses are often the loudest voices regarding financial crimes and are likely responsible for large amounts of the data exposed currently, this instance highlights the profoundly personal side of the issue. If an attacker wished to gain access to this individual’s bank account, they would have to do minimal social engineering of the individual’s bank, as all the information they would need is entirely accessible, devastating a person or family if they don’t catch the fraud in time or are simply unaware that it’s going on.”
And it’s not just individuals and large organizations who should know better. “A small IT consulting company in the UK exposed over 212,000 files which included not just their company information, but that of their clients as well. Perhaps most egregiously, password lists were found for various clients of the company kept in plain text. Furthermore, we analyzed two instances where the password lists included the password to the individual’s cell phone.” This exposure didn’t merely affect the consultancy itself, but exposed its clients to a supply chain attack.
While there are some hopeful signs — such as Amazon’s improved default security for its S3 buckets, and Microsoft’s release of SMB v3 — file exposure of sensitive information over the internet is increasing. The Photon researchers point out that it is not rocket science to protect files, with things like IP whitelists, strong authentication and the location of servers. But it still isn’t being done as a matter of course. The biggest mystery remains, why isn’t it being done?