Finding and Securing FTP Sites with Censys
The File Transfer Protocol (FTP) is one of the most popular traditional methods of moving files from one computer to another. While FTP sites are useful for some businesses to send and receive files, for example designs or even customer data, they also quickly become an easy target for adversaries. The primary security problems that arise from FTP sites are the use of plaintext login credentials and file transfers, along with the failure to implement file integrity checks. FTP sites can act as easy gateways for attackers to get into business systems.
In addition to the common misconfiguration issues of FTP sites, the files and data shared through them often adds to the security risks. In many organizations, a wide variety of internal departments use FTP sites while working with outside contractors and other third-parties without the proper oversight of the internal security and/or IT team. Those teams share all different types of information between the business and the contractors and third-parties, with varying degrees of sensitivity — consider if your organization is working with an contractor that handles human resources data or even a design team sharing confidential product feature information pre-launch. While the intention is usually innocent enough, those rogue FTP sites must be secured as strongly as any other system within your organization. The first step is locating them.
Attackers use a lot of freely available tools to discover FTP sites on the Internet and then determine which are using administrator logins or not requiring login credentials at all due to misconfigurations. For the sake of not pointing your adversaries directly at those tools, we’ll leave it at that, but the take-home lesson here is that you should always be a step ahead and you can use FTP banner grabs to find those sites associated with your organization so you can ensure they’re secured with strong authentication and configured correctly.
Our advice is for organizations to strongly consider moving to cloud-hosted services for file-sharing purposes, which have security tools built into them — Box and Dropbox are the typical examples. The cloud-based products offer strong encryption, authorization, ease of configuration and use, and more — all built-in. On top of the security features these tools offer, they also get high praise for being easy for non-technical users (arguably easier than FTP sites).
Real-world attacks linked to FTP servers
In March 2017, the FBI issued a private industry warning to the healthcare industry about active attacks against FTP sites. The warnings followed reports of attacks targeting FTP servers in healthcare organizations, in particular, running in anonymous mode. Unfortunately, despite those warnings, not all organizations appointed the necessary resources and enacted appropriate security measures that would prevent FTP attacks.
Case in point: in May 2018, over a year after the FBI warning, a practice management software vendor named MedEvolve accidentally exposed 205,000 patient records due to a misconfigured FTP server. In this case, the targeted FTP site didn’t require any login credentials whatsoever. This begs the question of how an FTP site could be set up at all without requiring an administrator login. One could argue that there should at the very least been a required default username and password, rather than putting the security onus entirely on the user, but in the end the misconfiguration error left MedEvolve with a gaping security hole that attackers exploited.
The company responded as responsibly as they could to the attacks, alerting vendors, customers, and partners, but of course the damage was was already done. So, let’s at least learn from their experience and ensure we’re not in the headlines next, right?
How to use FTP banner grabs to find unknown and/or unsecured business FTP sites
As part of our global IPv4 scans, Censys has been scanning for FTP (TCP port 21) for years and, along with that, we provide banner grab information. As a matter of policy, Censys doesn’t attempt any logins, so we don’t capture any file listing. For users, this means that you need to rely on the banner information about the host network information, or any associated web pages, to search for interesting FTP servers.
The best way to use FTP banner grabs to find FTP sites associate with your business is to search for the 21.ftp.banner index. Here are a few examples looking for some well known business names in the banner:
https://censys.io/ipv4?q=21.ftp.banner.banner%3A+ebay
https://censys.io/ipv4?q=21.ftp.banner.banner%3A+ikea
https://censys.io/ipv4?q=21.ftp.banner.banner%3A+netflix
From this search, you may choose to filter down by additional tags from the left hand menu, such as networks and locations — viewing the map option within search results lets you quickly determine if there are any FTP sites tied to your organization that are in areas you wouldn’t expect (anywhere you wouldn’t have office locations or remote workers), etc. For an FTP server that uses your business name but it’s not anywhere you do business, they should raise red flags
What to do if you discover previously unknown FTP sites
If you find unexpected FTP sites with your organization in their banners investigate to determine whether an internal employee or team created the site for a project.
If the FTP site appears to have originated outside your organization or anything looks suspicious, take a look at the WhoIS information on each search result to determine if the site was created for legitimate purposes (a third-party group working with someone in your organization, for instance).
Securing your business’ FTP sites
If you discover some FTP sites in the search results that your organization owns, make sure to follow proper security hygiene by:
- Requiring strong login credentials
- Enforcing two-factor authentication
- Managing authentication and authorization credentials as part of your IAM program to ensure employees are offboarded appropriately
- Logging authentication attempts to your standard logging infrastructure
- Restricting who can upload files and read those files; only authorized internal users should be permitted to upload files for distribution, and files uploaded by third-parties shouldn’t be accessible to third parties.
- Isolating FTP sites so that if unauthorized access happens, attackers can’t pivot from the FTP site to other areas within the business (notably, customer/client data, financial information and payment systems, etc.
Remember, ideally, you should consider alternative file-sharing options that are more secure than traditional FTP sites, including:
- Managed file transfer (MFT) systems
- Web-based software as a service (SaaS) solutions, like Dropbox, Box, etc.
- Secure file transfer software (SFTP)
