1.5 billion sensitive files exposed due to FTP, SMB, rsync and S3 bucket misconfiguration

Digital Shadows, a UK network security company, recently published a document entitled “Research: Too Much Information Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files” research report.

The report pointed out that Digital Shadows has used its dedicated scanning tool, since January 2018, via online exposed Amazon S3 buckets, remote data synchronization tool rsync, network file sharing protocol SMB, file transfer protocol (FTP) server, and misconfigurations A total of 1,550,447,111 easily-available files were detected on the site and the unprotected NAS network storage.

From the perspective of the ownership of these documents, this involves almost all countries and regions in the world. Of these, 537,720,919 exposed documents belong to EU countries, accounting for 36.5% of the total. For a single country, the United States appears to be the country most affected by this problem. A total of 239,607,590 documents were exposed on the Internet, accounting for 16.3% of the total. Followed by Asia-Pacific countries (14.9%), the United Kingdom (3.7%), the Nordic countries (2.6%), and the Middle East countries (2%).

Other data also confirms the seriousness of the problem. When all files were added together, the total file size exceeded 12PB (12,000TB), which was a total of 4,600 times more than the 2.6TB file in the “Panama Papers” leak.

Despite recent years, both security researchers and news media have focused their attention on the wrongly configured Amazon S3 repository. However, the Digital Shadows report pointed out that the number of files exposed by the S3 repository is approximately 102,431,953, which is only about 7% of the total. More exposure documents come from relatively old, but still widely used technologies such as SMB (33%), rsync (28%), and FTP (26%).

The report also pointed out that these exposed documents involve a lot of personal information. The most common are employee payroll and tax returns. Among all exposed documents, 707,960 belong to the former and 64,048 belong to the latter. Not only that, consumers are also exposed to the risk of data leakage, of which 14,687 documents expose consumer contact information, and 4,548 documents are on the patient list.

Digital Shadows revealed in the report that they found a large number of sales terminal data, including transactions, time, location, and even some credit card data, which are completely public. What is even more surprising is that they also discovered 2,205,350 medical record files through an open SMB port, which contains detailed personal health information records for patients.

A large number of intellectual property rights and other corporate confidential data are another major focus of the Digital Shadows report. Digital Shadows believes that the exposure of such files could easily make the company a victim of espionage. In these exposed documents there is no shortage of design documents for the existence of a product, the source code for a certain software, and filings for certain patented technologies.

Digital Shadows revealed that during the scan, they found a patent application filed by a renewable energy company that contained detailed technical details. Undoubtedly, exposure of such a document would cause the company to suffer major losses. In another case, Digital Shadows also discovered an application introduction document that contained the application’s source code.

Digital Shadows stated that some documents were exposed not from the organization itself, but from third-party organizations. When an organization wants to review its system security through security assessments and penetration tests, it usually hire third-party agencies to do the job. When a third-party organization copies and transmits certain important information, document exposure occurs in the middle of the process.

Digital Shadows discovered thousands of security audit files during the scan, including 1,830 files that recorded details of the network infrastructure and 694 penetration test reports. In one example, Digital Shadows discovered a set of security audit files that belong to one of Europe’s leading electronic identification service providers and its customers are banking. These files include in-depth security assessments, source code test results, and vulnerability scan reports that reveal various details of insecure servers.

This is a treasure for potential attackers. These files expose the server’s geographical location and IP address, unpatched software patches, port information, vulnerability numbers, and vulnerability descriptions. This allows attackers to gain the ability to modify data, inject malicious code, and perform man-in-the-middle attacks in a short time.