{"id":52543,"date":"2023-06-28T15:54:56","date_gmt":"2023-06-28T15:54:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34761\/Hundreds-Of-Federal-Network-Devices-Fail-New-CISA-Requirements.html"},"modified":"2023-06-28T15:54:56","modified_gmt":"2023-06-28T15:54:56","slug":"hundreds-of-federal-network-devices-fail-new-cisa-requirements","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/hundreds-of-federal-network-devices-fail-new-cisa-requirements\/","title":{"rendered":"Hundreds Of Federal Network Devices Fail New CISA Requirements"},"content":{"rendered":"
<\/div>\n

U.S. federal agencies are running hundreds of remotely accessible management interfaces that don\u2019t meet recently mandated security requirements, according to Censys researchers.<\/p>\n

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) 23-02<\/a>  on June 13 requiring all federal civilian executive branch (FCEB) agencies to harden their internet-exposed network edge and remote management devices.<\/p>\n

\u201cRecent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices,\u201d the directive states<\/a>.<\/p>\n

It requires FCEB agencies to remove from the internet all management interfaces using network protocols \u2013 including HTTP\/ HTTPS, FTP, SSH, Telnet, and others \u2013 so they are only accessible from an internal enterprise network.<\/p>\n

Removal must be undertaken within 14 days of the agency identifying a management interface that falls into the category of devices covered by the directive. Agencies also have a fortnight to implement changes if they receive a notification from CISA, which announced in March it was beefing up plans to proactively alert agencies<\/a> of attack surface vulnerabilities.<\/p>\n

Numerous hosts exposing network appliances<\/h2>\n

In a June 26 blog post<\/a>, Censys said its researchers analyzed the attack surfaces of more than 50 organizations and sub-organizations covered by the directive. They found over 13,000 distinct hosts across more than 100 autonomous systems associated with FCEB agencies.<\/p>\n

\u201cExamining the services running on a subset of over 1,300 FCEB hosts accessible via IPv4 address, Censys found hundreds of publicly exposed devices within the scope outlined in the directive,\u201d the post said.<\/p>\n

The researchers found almost 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols, including SSH and Telnet.<\/p>\n

\u201cAmong these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.\u201d<\/p>\n

More than 15 instances of other exposed remote access protocols including FTP, SMB, NetBIOS, and SNMP were also found running on FCEB-related hosts.<\/p>\n

\u201cThese protocols have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure,\u201d the researchers said.<\/p>\n

They also found \u201cmultiple\u201d out-of-band remote server management devices including Lantronix SLC console servers. According to CISA<\/a>, such out-of-band interfaces \u201cshould never be directly accessible via the public internet\u201d.<\/p>\n

Other vulnerabilities discovered<\/h2>\n

The researchers said they discovered \u201cother noteworthy security concerns\u201d which fell outside the scope of the Binding Operational Directive on the hosts they investigated.<\/p>\n

Among the finds were several instances of exposed managed file transfer tools including MOVEit Transfer<\/a> and GoAnywhere MFT<\/a>, both of which have been at the center of recent serious breaches.<\/p>\n

More than 10 hosts were discovered running HTTP services exposing directory listings of file systems, which Censys said was a common source of sensitive data leakage.<\/p>\n

The researchers discovered exposed Nessus vulnerability scanning servers, an attractive target for threat actors because they pinpoint weaknesses in internal networks, providing attackers with useful intelligence and a springboard for future exploitations.<\/p>\n

Censys also found exposed Barracuda Email Security Gateway<\/a> appliances, the target of another recent spate of high-profile and costly attacks.<\/p>\n

Over 150 instances of end-of-life software were discovered, including Microsoft Internet Information Services (IIS), OpenSSL, and Exim. \u201cEnd-of-life software is more susceptible to new vulnerabilities and exploits because it no longer receives security updates, making it an easy target,\u201d the researchers said.<\/p>\n

Censys said while CISA\u2019s directive only applied to FCEB agencies, all organizations should harden the interfaces within their networks, given they were often targeted by threat actors.<\/p>\n

\u201cThese internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it\u2019s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.\u201d<\/p>\n

How widespread is the problem and how hard is the fix?<\/h2>\n

The BOD more specifically will force Federal agencies to adopt a more comprehensive external attack surface management (EASM) strategy. External attack surfaces are a major source of breaches, exposing insecure or misconfigured APIs, IoT devices and under-patched servers to adversaries.<\/p>\n

Rob Gurzeev, CEO and co-founder of attack surface management firm CyCognito<\/a>, points out that the directive will have a far-reaching impact beyond just FCEB agencies. Non-governmental supply chain partners will also be under increased scrutiny for external attack surface weak spots. These third-party risks or subsidiary risks are often the overlooked weakest link in a tightly managed enterprise network<\/a> (PDF).<\/p>\n

\u201cBig companies have tens of thousands of exposed web interfaces today, as every DevOps tool, OpenSource tool, and even hardware assets have web interfaces for management now,\u201d Gurzeev said. \u201cThe shift to the cloud essentially connected millions of \u2018machines\u2019 to the internet – not behind a firewall.\u201d<\/p>\n

Gurzeev said that despite the fact that the bulk of an organization\u2019s network infrastructure is behind a firewall, 80 percent of the network risk is found within the external attack surface, exposed to the public internet. Wors, he said, external surface vulnerabilities can take ten-times longer to detect and mitigate. \u201cAdditionally, dwell time\u2014the period from breach to mitigation\u2014averages three to four months, and can sometimes stretch to six,\u201d he said.<\/p>\n

BOD 23-02: Directive Details<\/h2>\n

The directive mandates agencies regularly scan and report the security readiness of internet-facing devices to CISA. It also requires agencies to fix found issues within 14 days of finding or being notified of them. If a patch isn\u2019t immediately available, then CISA requires agencies to isolate or ban outside access to resources.<\/p>\n

\n