Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/30/2019
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

2.3B Files Currently Exposed via Online Storage

Digital Shadows researchers scanned various online file-sharing services and concluded the number of exposed files is up 50% from March of 2018.

More than 2.3 billion files are exposed across misconfigured online file storage technologies, marking an increase of 750 million files – or a 50% jump – from 1.5 billion in March 2018.

Researchers with the Digital Shadows' Photon Research Team thought last year's 1.5B figure alone was "incredible," they say in the aptly named "Too Much Information: The Sequel" report. Files with sensitive and insensitive data were found via SMB file shares, misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets.

The United States exposed the most data (over 326 million files), though France (151 million) and Japan (77 million) each had the highest in their geographies. The United Kingdom exposed 98 million, and countries throughout Europe collectively exposed more than one billion files.

There's "a lot of really good work" being done to try and contain this wealth of compromised information, says Harrison Van Riper, strategy and research analyst at Digital Shadows. "However, the fact is that businesses are continuing to expand their footprint online, beyond their own networks and, more importantly, their own storage devices," Van Riper explains.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

Server Message Block (SMB) protocol exposed the most data (46%) of all technologies analyzed. That's more than one billion files exposed via SMB file shares, a 547.6 million jump from March 2018. FTP was next-highest at 457.4 million (20%), followed by rsync at 386.7 million (16%), Amazon S3 at 182.1 million (8%), webindex at 163.5 million (7%), and NAS at 65.4 million (3%). FTP-hosted files increased by over 54 million, cancelling out rsync's decline of 53.7 million files.

The researchers aren't entirely sure why SMB-enabled file shares nearly doubled in the past year, though they call the statistic troubling. One potential reason is in June 2018, Amazon AWS Storage Gateway added SMB support, giving file-based applications built for Microsoft Windows a means to store and access objects in Amazon S3. Another is in November 2018, Akamai discovered attackers were opening SMB ports 139 and 445 for malicious reasons.

SMB is one of the main ways Windows users can facilitate file shares, Van Riper notes, and Microsoft adoption of the protocol surely drove its popularity. It's not a bad thing, he points out; technology is supposed to simplify the ways we live our lives and conduct business. However, he adds, the Internet has changed what we thought we knew about these systems and how they interact. It's time to rethink new ways to implement old protocols, he says.

"As businesses continue to digitize older systems and [processes], and more and more Windows systems that have SMB installed get spun up, the more chances there are for these exposures to occur knowingly," he explains.

In the report, researchers point out that in early 2018, Microsoft stopped preinstalling SMBv1 in Windows 10 and Windows Server. However, it's hard to confirm the full impact of this as researchers included SMB v1, v2, and v3 in the study.

Amazon S3 bucket misconfigurations, which have inadvertently exposed data for years, may also slow thanks to "Amazon S3 Block Public Access," introduced in Nov. 2018. The move locked down default security controls for S3 buckets so users can set global block rule for private data.

Ransomware Targets Exposed SMB

The standard advice for companies preparing for ransomware attacks is to back up their files. If they're hit and their files are encrypted, they can use saved data to get back up and running.

But what happens if the same ransomware variant also encrypts backup files? The researchers at Digital Shadows notice this is a growing trend, with more than 17 million ransomware-encrypted files across file stores used for backups. They specifically note NamPoHyu ransomware, an update to the MegaLocker variant that targets Samba servers. Samba is the open-source implementation of the SMB protocol; it runs on Unix systems and allows for file communication to Windows. Since April 2019, more than two million files have been encrypted with the .NamPoHyu extension.

"Obviously, WannaCry is the other big ransomware variant that comes to mind when we think about SMB and we are still seeing new files be encrypted by it," Van Riper says. "The trend has definitely picked up steam with the addition of a new variant in NamPoHyu."

These days, data is not only kept internally and businesses should protect their information wherever it resides. Oftentimes that means working with third parties to ensure they have a security strategy in place: for example, researchers point to a small IT consulting company in the UK that exposed more than 212,000 files containing company and client information.

When it comes to third parties, Van Riper says businesses should be asking the same questions they ask of their own security teams. Where is data stored? How are we storing it? Is it encrypted? Who has access to it? "These questions shouldn't only be asked internally, as these days data is not only kept internally," he explains.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.