Cybercriminals Target Healthcare Anonymous FTP Servers, Says FBI

The Federal Bureau of Investigation (FBI) has warned the healthcare industry that cybercriminals are actively scoping FTP servers that allow for “anonymous” remote connection, to steal protected health information (PHI) and personally identifiable information (PII).

The FBI says it is aware of such attacks specifically involving medical and dental facilities, and that cybercriminals will intimidate, harass and blackmail once such information is accessed.

“The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address,” reads the FBI warning. “While computer security researchers are actively seeking FTP servers in anonymous mode to conduct legitimate research, other individuals are making connections to these servers to compromise PHI and PII for the purposes of intimidating, harassing, and blackmailing business owners.”

While this is not a new problem, poorly configured FTP servers that allow for remote “anonymous” connects could cause businesses to inadvertently leak private and sensitive data online. Even more troubling is that attackers could use legitimate healthcare FTP servers to store malicious tools or engage in illicit online activities.

In this scenario, attackers would have to gain “write” access to those FTP servers by leveraging various misconfigurations. It”s unclear how many medical or dental facilities have been targeted and investigated by the FBI, but the warning does seem to imply that this should be a concern for all healthcare institutions.

“The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode,” according to the same FBI warning. “If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.”

Worth noting is that the same warning is applicable to companies and organizations in any sector that allow remote “anonymous” connections to their FTP server, without properly vetting the information that is publicly accessible.