Attack surface management firm Censys has identified hundreds of devices residing within federal networks that have internet-exposed management interfaces.
During an analysis of more than 50 federal civilian executive branch (FCEB) organizations and sub-organizations, Censys discovered more than 13,000 distinct hosts across 100 autonomous systems.
A deep dive into these hosts, which were accessible via IPv4 addresses, revealed hundreds of devices that have management interfaces exposed to the public internet, and which fall within the scope of CISA’s Binding Operational Directive (BOD) 23-02.
Meant to help federal agencies mitigate the risks associated with internet-exposed management interfaces, BOD 23-02 provides guidance on how to secure remotely accessible interfaces, which often fall victim to malicious attacks.
According to CISA, threat actors are targeting specific classes of devices that support network infrastructures, to evade detections. After compromising these devices, the attackers often gain full access to a network.
“Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet,” CISA’s BOD 23-02 reads.
Devices that Censys searched for include access points, firewalls, routers, VPNs, and other remote server management appliances. The company identified over 250 hosts with exposed interfaces that were running remote protocols such as SSH and Telnet.
“Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys says.
Furthermore, the company identified exposed remote access protocols (FTP, SMB, NetBIOS, and SNMP), out-of-band remote server management devices, managed file transfer tools (including MOVEit, GoAnywhere, and SolarWinds Serv-U), HTTP services exposing directory listings, Nessus vulnerability scanning servers, physical Barracuda Email Security Gateway appliances, and more than 150 instances of end-of-life software.
Vulnerabilities in all these are known to have been targeted by threat actors, often with dire consequences for hundreds of organizations, as was the case with the SolarWinds, GoAnywhere, and MOVEit attacks. Vulnerable Barracuda, Fortinet, SonicWall, and Cisco appliances are also frequent targets in malicious attacks.
Related: CISA Instructs Federal Agencies to Secure Internet-Exposed Devices
Related: Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers
Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
