The Cybersecurity and Infrastructure Security Agency (CISA) said it is working with federal agencies to remove network management tools from the public internet after researchers found hundreds were still publicly exposed.
On June 13, CISA issued a directive giving federal civilian agencies two weeks after the discovery of an Internet-exposed networked management interface to remove it from the Internet or institute access control measures such as zero-trust architecture .
But this week, researchers at security firm Censys said they’ve scanned the attack surfaces of 50 federal civilian executive branch (FCEB) organizations and sub-organizations, finding hundreds of publicly exposed devices within the scope outlined in the directive more than 14 days after it was released.
Hundreds of routers, access points, firewalls, VPNs and other remote server management technologies from Cisco, Cradlepoint, Fortinet and SonicWall have been discovered.
Censys told Recorded Future News that it actively maintains attack surface profiles for several federal agencies and has notified CISA of specific exposures belonging to federal agencies.
By publishing this research, our goal is to create broader awareness of the risks associated with exposed remote management interfaces, as they are a prime target for threat actors seeking to infiltrate a network, the researchers said.
When contacted about the findings, CISA officials told The Record they are helping agencies ensure timely corrective action is implemented under the binding operational directive, labeled BOD 23-02, including by leveraging commercial tools to identify the exposed technology.
CISA said it is working closely with agency leadership to ensure compliance with binding operational directives. In its guidance document released two weeks ago, CISA said it plans to scan interfaces exposed to the Internet and notify all agencies of its findings, explaining that the aim of the directive is to further reduce the attack surface of networks of the federal government.
Dozens of federal civilian agencies expose a variety of technological tools to the Internet that they use to make it easier for employees to access it. These products have become a hotbed for hacker activity in recent years due to their ease of discovery and exploitation from essentially anywhere in the world.
Extended attack surface
Censys officials said that while some tools may be deliberately exposed for various reasons, many are likely to be unintentionally exposed due to misconfiguration, lack of understanding of security best practices, or connection to forgotten legacy systems.
Network management interfaces and remote access protocols (eg: TELNET, SSH) in the context of [the directive] they’re typically designed to be accessed securely within private networks, they said. When these interfaces are publicly accessible, they unnecessarily expand an organization’s attack surface and increase the risk of unauthorized system access.
Contrast Security Tom Kellermann, who previously served as an information security official in the Obama administration, said that many times products are exposed to the Internet due to shadow computing where employees connect things without permission.
Asset inventories, he noted, must be continually updated in an automated fashion to mitigate this risk.
SafeBreach’s vice president of security research, Tomer Bar, added that exposed remote management interfaces are one of the most common avenues for attacks by both domestic hackers and cybercriminals.
James Cochran, director of endpoint security at Tanium, attributed some of the exposed devices to understaffing, which he says can cause overworked IT teams to cut corners so they can streamline network management.
He noted that it is encouraging that CISA is pushing this effort because it will shed light on an issue that “most non-technical management personnel at the identified agencies do not fully understand.”
But he criticized the agency for trying to fix the problem in such a short time.
“This is not responsible timing. Because the problem is so widespread, I expect there will be significant impacts on the identified agencies,” he said. “It’s like trying to untangle a bunch of wires by sawing through them, instead of spending the time tracking them down individually to limit the amount of downtime.”
CISA Director Jen Easterly echoed that assessment earlier this month, writing that hackers are able to use network devices to gain unlimited access to organizational networks, in turn leading to large-scale compromises. .
CISA said several recent hacking campaigns have highlighted the serious risk to federal enterprise posed by improperly configured network devices, a tacit reference to ongoing exploitation of the MOVEit file transfer service.
In its blog this week, Censys noted that despite weeks of headlines about vulnerabilities in products including MOVEit, GoAnywhere, and some Barracuda Networks hardware, they’ve found more instances of these tools exposed to the Internet.
The researchers explained that while the process of removing these products from the Internet should be simple, it often requires coordination between the teams using them, causing friction.
In other cases, there are technical barriers that present a challenge to already overloaded teams. Regardless of the situation, even when organizations are aware of their exposures, the task of mitigating them often takes a back seat to more noteworthy security threats like zero-day vulnerabilities and ransomware campaigns, they said.
However, the researchers said, most of the security problems we observe are typically not caused by zero-days or advanced attack techniques, but rather misconfigurations and exposures that often result from simple mistakes.
Registered future
Cloud intelligence.
Learn more.
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked around the world as a journalist since 2014. Before returning to New York City, he worked for news organizations in South Africa, Jordan and Cambodia. He previously held cyber security positions at ZDNet and TechRepublic.
#CISA #works #agencies #extract #exposed #network #tools #public #Internet
Image Source : therecord.media