Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/30/2019
05:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

2.3B Files Currently Exposed via Online Storage

Digital Shadows researchers scanned various online file-sharing services and concluded the number of exposed files is up 50% from March of 2018.

More than 2.3 billion files are exposed across misconfigured online file storage technologies, marking an increase of 750 million files – or a 50% jump – from 1.5 billion in March 2018.

Researchers with the Digital Shadows' Photon Research Team thought last year's 1.5B figure alone was "incredible," they say in the aptly named "Too Much Information: The Sequel" report. Files with sensitive and insensitive data were found via SMB file shares, misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets.

The United States exposed the most data (over 326 million files), though France (151 million) and Japan (77 million) each had the highest in their geographies. The United Kingdom exposed 98 million, and countries throughout Europe collectively exposed more than one billion files.

There's "a lot of really good work" being done to try and contain this wealth of compromised information, says Harrison Van Riper, strategy and research analyst at Digital Shadows. "However, the fact is that businesses are continuing to expand their footprint online, beyond their own networks and, more importantly, their own storage devices," Van Riper explains.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

Server Message Block (SMB) protocol exposed the most data (46%) of all technologies analyzed. That's more than one billion files exposed via SMB file shares, a 547.6 million jump from March 2018. FTP was next-highest at 457.4 million (20%), followed by rsync at 386.7 million (16%), Amazon S3 at 182.1 million (8%), webindex at 163.5 million (7%), and NAS at 65.4 million (3%). FTP-hosted files increased by over 54 million, cancelling out rsync's decline of 53.7 million files.

The researchers aren't entirely sure why SMB-enabled file shares nearly doubled in the past year, though they call the statistic troubling. One potential reason is in June 2018, Amazon AWS Storage Gateway added SMB support, giving file-based applications built for Microsoft Windows a means to store and access objects in Amazon S3. Another is in November 2018, Akamai discovered attackers were opening SMB ports 139 and 445 for malicious reasons.

SMB is one of the main ways Windows users can facilitate file shares, Van Riper notes, and Microsoft adoption of the protocol surely drove its popularity. It's not a bad thing, he points out; technology is supposed to simplify the ways we live our lives and conduct business. However, he adds, the Internet has changed what we thought we knew about these systems and how they interact. It's time to rethink new ways to implement old protocols, he says.

"As businesses continue to digitize older systems and [processes], and more and more Windows systems that have SMB installed get spun up, the more chances there are for these exposures to occur knowingly," he explains.

In the report, researchers point out that in early 2018, Microsoft stopped preinstalling SMBv1 in Windows 10 and Windows Server. However, it's hard to confirm the full impact of this as researchers included SMB v1, v2, and v3 in the study.

Amazon S3 bucket misconfigurations, which have inadvertently exposed data for years, may also slow thanks to "Amazon S3 Block Public Access," introduced in Nov. 2018. The move locked down default security controls for S3 buckets so users can set global block rule for private data.

Ransomware Targets Exposed SMB

The standard advice for companies preparing for ransomware attacks is to back up their files. If they're hit and their files are encrypted, they can use saved data to get back up and running.

But what happens if the same ransomware variant also encrypts backup files? The researchers at Digital Shadows notice this is a growing trend, with more than 17 million ransomware-encrypted files across file stores used for backups. They specifically note NamPoHyu ransomware, an update to the MegaLocker variant that targets Samba servers. Samba is the open-source implementation of the SMB protocol; it runs on Unix systems and allows for file communication to Windows. Since April 2019, more than two million files have been encrypted with the .NamPoHyu extension.

"Obviously, WannaCry is the other big ransomware variant that comes to mind when we think about SMB and we are still seeing new files be encrypted by it," Van Riper says. "The trend has definitely picked up steam with the addition of a new variant in NamPoHyu."

These days, data is not only kept internally and businesses should protect their information wherever it resides. Oftentimes that means working with third parties to ensure they have a security strategy in place: for example, researchers point to a small IT consulting company in the UK that exposed more than 212,000 files containing company and client information.

When it comes to third parties, Van Riper says businesses should be asking the same questions they ask of their own security teams. Where is data stored? How are we storing it? Is it encrypted? Who has access to it? "These questions shouldn't only be asked internally, as these days data is not only kept internally," he explains.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13360
PUBLISHED: 2019-07-16
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.
CVE-2019-13383
PUBLISHED: 2019-07-16
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, the Login process allows attackers to check whether a username is valid by reading the HTTP response.
CVE-2019-13603
PUBLISHED: 2019-07-16
An issue was discovered in the HID Global DigitalPersona (formerly Crossmatch) U.are.U 4500 Fingerprint Reader Windows Biometric Framework driver 5.0.0.5. It has a statically coded initialization vector to encrypt a user's fingerprint image, resulting in weak encryption of that. This, in combination...
CVE-2019-13605
PUBLISHED: 2019-07-16
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.838 to 0.9.8.846, remote attackers can bypass authentication in the login process by leveraging the knowledge of a valid username. The attacker must defeat an encoding that is not equivalent to base64, and thus this is different from CVE-2019-1...
CVE-2019-13615
PUBLISHED: 2019-07-16
VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.