Hundreds of Devices Found Violating New CISA Federal Agency Directive
Cyber Security Threat Summary:
“Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies. Of these, more than 1,300 Internet-exposed hosts can be accessed through IPv4 addresses, with hundreds allowing access to management interfaces of various network appliances” (Bleeping Computer, 2023). "We discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET," Censys said. "Over 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP were also found running on FCEB-related hosts."
Security Officer Comments:
More alarmingly, Censys says they discovered multiple servers hosting MOVEit transfer, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer platforms. These products have recently dealt with serious critical vulnerabilities and active exploitation. Additionally, they identified over ten hosts with exposed directory listings, posing a risk of data leakage, as well as Barracuda Email Security Gateway appliances that were recently targeted in zero-day attacks. Another 150 instances of servers with end-of-life Microsoft IIS, OpenSSL, and Exim software were also spotted by Censys, significantly increasing the attack surface due to the lack of security updates.
The rampant publicly exposed management interfaces discovered by Censys were ordered to be secured according to CISA’s recent Binding Operational Directive 23-02, which gave organizations 14 days to protect these devices. According to CISA, they plan to scan for devices and interfaces that fall into the scope of this recent directive, and will inform agencies should they find shortcomings.
“To assist with the remediation process, CISA will also offer technical expertise to federal agencies upon request, ensuring a thorough review of specific devices and providing guidance on implementing robust security measures. This proactive approach by CISA aims to enhance the overall cybersecurity posture of federal agencies and safeguard critical infrastructure” (Bleeping Computer, 2023).
Suggested Correction(s):
"These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it's encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems," Censys said.
If a device is required to be Internet facing, patching must be done as soon as possible. Threat actors are weaponizing vulnerabilities at an alarmingly quick rate, and will scan for publicly vulnerable devices. Due to the prevalence of zero-day vulnerabilities, having an internet facing device brings with it inherent risks as devices may be attacked before a patch is available, or the threat is known.
Organizations can leverage network isolation techniques to separate devices from more sensitive network components and systems. Organizations should ensure administrators use separate and dedicated accounts for managing and accessing devices. Multi-factor authentication (MFA) is encouraged and should be enforced. Default credentials should also be changed and cycled per your password policies. Organizations should also log devices to proactively detect malicious behavior, as well as have plans in place to investigate and respond to findings.
Link(s):
https://censys.io/
https://www.bleepingcomputer.com/