2.3B Files Currently Exposed via Online Storage

Digital Shadows researchers scanned various online file-sharing services and concluded the number of exposed files is up 50% from March of 2018.

Kelly Sheridan, Former Senior Editor, Dark Reading

May 30, 2019

5 Min Read
Dark Reading logo in a gray background | Dark Reading

More than 2.3 billion files are exposed across misconfigured online file storage technologies, marking an increase of 750 million files – or a 50% jump – from 1.5 billion in March 2018.

Researchers with the Digital Shadows' Photon Research Team thought last year's 1.5B figure alone was "incredible," they say in the aptly named "Too Much Information: The Sequel" report. Files with sensitive and insensitive data were found via SMB file shares, misconfigured network-attached storage (NAS) devices, FTP and rsync servers, and Amazon S3 buckets.

The United States exposed the most data (over 326 million files), though France (151 million) and Japan (77 million) each had the highest in their geographies. The United Kingdom exposed 98 million, and countries throughout Europe collectively exposed more than one billion files.

There's "a lot of really good work" being done to try and contain this wealth of compromised information, says Harrison Van Riper, strategy and research analyst at Digital Shadows. "However, the fact is that businesses are continuing to expand their footprint online, beyond their own networks and, more importantly, their own storage devices," Van Riper explains.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," he adds.

Server Message Block (SMB) protocol exposed the most data (46%) of all technologies analyzed. That's more than one billion files exposed via SMB file shares, a 547.6 million jump from March 2018. FTP was next-highest at 457.4 million (20%), followed by rsync at 386.7 million (16%), Amazon S3 at 182.1 million (8%), webindex at 163.5 million (7%), and NAS at 65.4 million (3%). FTP-hosted files increased by over 54 million, cancelling out rsync's decline of 53.7 million files.

The researchers aren't entirely sure why SMB-enabled file shares nearly doubled in the past year, though they call the statistic troubling. One potential reason is in June 2018, Amazon AWS Storage Gateway added SMB support, giving file-based applications built for Microsoft Windows a means to store and access objects in Amazon S3. Another is in November 2018, Akamai discovered attackers were opening SMB ports 139 and 445 for malicious reasons.

SMB is one of the main ways Windows users can facilitate file shares, Van Riper notes, and Microsoft adoption of the protocol surely drove its popularity. It's not a bad thing, he points out; technology is supposed to simplify the ways we live our lives and conduct business. However, he adds, the Internet has changed what we thought we knew about these systems and how they interact. It's time to rethink new ways to implement old protocols, he says.

"As businesses continue to digitize older systems and [processes], and more and more Windows systems that have SMB installed get spun up, the more chances there are for these exposures to occur knowingly," he explains.

In the report, researchers point out that in early 2018, Microsoft stopped preinstalling SMBv1 in Windows 10 and Windows Server. However, it's hard to confirm the full impact of this as researchers included SMB v1, v2, and v3 in the study.

Amazon S3 bucket misconfigurations, which have inadvertently exposed data for years, may also slow thanks to "Amazon S3 Block Public Access," introduced in Nov. 2018. The move locked down default security controls for S3 buckets so users can set global block rule for private data.

Ransomware Targets Exposed SMB

The standard advice for companies preparing for ransomware attacks is to back up their files. If they're hit and their files are encrypted, they can use saved data to get back up and running.

But what happens if the same ransomware variant also encrypts backup files? The researchers at Digital Shadows notice this is a growing trend, with more than 17 million ransomware-encrypted files across file stores used for backups. They specifically note NamPoHyu ransomware, an update to the MegaLocker variant that targets Samba servers. Samba is the open-source implementation of the SMB protocol; it runs on Unix systems and allows for file communication to Windows. Since April 2019, more than two million files have been encrypted with the .NamPoHyu extension.

"Obviously, WannaCry is the other big ransomware variant that comes to mind when we think about SMB and we are still seeing new files be encrypted by it," Van Riper says. "The trend has definitely picked up steam with the addition of a new variant in NamPoHyu."

These days, data is not only kept internally and businesses should protect their information wherever it resides. Oftentimes that means working with third parties to ensure they have a security strategy in place: for example, researchers point to a small IT consulting company in the UK that exposed more than 212,000 files containing company and client information.

When it comes to third parties, Van Riper says businesses should be asking the same questions they ask of their own security teams. Where is data stored? How are we storing it? Is it encrypted? Who has access to it? "These questions shouldn't only be asked internally, as these days data is not only kept internally," he explains.

Related Content:

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights