Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.
Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.
Shocking Details Emerge about Federal Network Devices
According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.
Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).
What is BOD 23-02?
CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.
What are the Dangers of Internet-Exposed Interfaces?
Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.
After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.
Which Devices Are Impacted?
Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.
Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.
In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.
Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.