Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/30/2019
05:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

2.3B Files Currently Exposed via Online Storage

Digital Shadows researchers scanned various online file-sharing services and concluded the number of exposed files is up 50% from March of 2018.

More than 2.3 billion files are exposed across misconfigured online file storage technologies, marking an increase of 750 million files – or a 50% jump – from 1.5 billion in March 2018.

Researchers with the Digital Shadows' Photon Research Team thought last year's 1.5B figure alone was "incredible," they say in the aptly named "Too Much Information: The Sequel" report. Files with sensitive and insensitive data were found via SMB file shares, misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets.

The United States exposed the most data (over 326 million files), though France (151 million) and Japan (77 million) each had the highest in their geographies. The United Kingdom exposed 98 million, and countries throughout Europe collectively exposed more than one billion files.

There's "a lot of really good work" being done to try and contain this wealth of compromised information, says Harrison Van Riper, strategy and research analyst at Digital Shadows. "However, the fact is that businesses are continuing to expand their footprint online, beyond their own networks and, more importantly, their own storage devices," Van Riper explains.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

Server Message Block (SMB) protocol exposed the most data (46%) of all technologies analyzed. That's more than one billion files exposed via SMB file shares, a 547.6 million jump from March 2018. FTP was next-highest at 457.4 million (20%), followed by rsync at 386.7 million (16%), Amazon S3 at 182.1 million (8%), webindex at 163.5 million (7%), and NAS at 65.4 million (3%). FTP-hosted files increased by over 54 million, cancelling out rsync's decline of 53.7 million files.

The researchers aren't entirely sure why SMB-enabled file shares nearly doubled in the past year, though they call the statistic troubling. One potential reason is in June 2018, Amazon AWS Storage Gateway added SMB support, giving file-based applications built for Microsoft Windows a means to store and access objects in Amazon S3. Another is in November 2018, Akamai discovered attackers were opening SMB ports 139 and 445 for malicious reasons.

SMB is one of the main ways Windows users can facilitate file shares, Van Riper notes, and Microsoft adoption of the protocol surely drove its popularity. It's not a bad thing, he points out; technology is supposed to simplify the ways we live our lives and conduct business. However, he adds, the Internet has changed what we thought we knew about these systems and how they interact. It's time to rethink new ways to implement old protocols, he says.

"As businesses continue to digitize older systems and [processes], and more and more Windows systems that have SMB installed get spun up, the more chances there are for these exposures to occur knowingly," he explains.

In the report, researchers point out that in early 2018, Microsoft stopped preinstalling SMBv1 in Windows 10 and Windows Server. However, it's hard to confirm the full impact of this as researchers included SMB v1, v2, and v3 in the study.

Amazon S3 bucket misconfigurations, which have inadvertently exposed data for years, may also slow thanks to "Amazon S3 Block Public Access," introduced in Nov. 2018. The move locked down default security controls for S3 buckets so users can set global block rule for private data.

Ransomware Targets Exposed SMB

The standard advice for companies preparing for ransomware attacks is to back up their files. If they're hit and their files are encrypted, they can use saved data to get back up and running.

But what happens if the same ransomware variant also encrypts backup files? The researchers at Digital Shadows notice this is a growing trend, with more than 17 million ransomware-encrypted files across file stores used for backups. They specifically note NamPoHyu ransomware, an update to the MegaLocker variant that targets Samba servers. Samba is the open-source implementation of the SMB protocol; it runs on Unix systems and allows for file communication to Windows. Since April 2019, more than two million files have been encrypted with the .NamPoHyu extension.

"Obviously, WannaCry is the other big ransomware variant that comes to mind when we think about SMB and we are still seeing new files be encrypted by it," Van Riper says. "The trend has definitely picked up steam with the addition of a new variant in NamPoHyu."

These days, data is not only kept internally and businesses should protect their information wherever it resides. Oftentimes that means working with third parties to ensure they have a security strategy in place: for example, researchers point to a small IT consulting company in the UK that exposed more than 212,000 files containing company and client information.

When it comes to third parties, Van Riper says businesses should be asking the same questions they ask of their own security teams. Where is data stored? How are we storing it? Is it encrypted? Who has access to it? "These questions shouldn't only be asked internally, as these days data is not only kept internally," he explains.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17552
PUBLISHED: 2019-10-14
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
CVE-2019-17553
PUBLISHED: 2019-10-14
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
CVE-2019-17408
PUBLISHED: 2019-10-14
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.