Attack surface management firm Censys has identified hundreds of devices residing within federal networks that have internet-exposed management interfaces.
During an analysis of more than 50 federal civilian executive branch (FCEB) organizations and sub-organizations, Censys discovered more than 13,000 distinct hosts across 100 autonomous systems.
A deep dive into these hosts, which were accessible via IPv4 addresses, revealed hundreds of devices that have management interfaces exposed to the public internet, and which fall within the scope of CISA’s Binding Operational Directive (BOD) 23-02.
Meant to help federal agencies mitigate the risks associated with internet-exposed management interfaces, BOD 23-02 provides guidance on how to secure remotely accessible interfaces, which often fall victim to malicious attacks.
According to CISA, threat actors are targeting specific classes of devices that support network infrastructures, to evade detections. After compromising these devices, the attackers often gain full access to a network.
“Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet,” CISA’s BOD 23-02 reads.
Devices that Censys searched for include access points, firewalls, routers, VPNs, and other remote server management appliances. The company identified over 250 hosts with exposed interfaces that were running remote protocols such as SSH and Telnet.
“Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” Censys says.
Furthermore, the company identified exposed remote access protocols (FTP, SMB, NetBIOS, and SNMP), out-of-band remote server management devices, managed file transfer tools (including MOVEit, GoAnywhere, and SolarWinds Serv-U), HTTP services exposing directory listings, Nessus vulnerability scanning servers, physical Barracuda Email Security Gateway appliances, and more than 150 instances of end-of-life software.
Vulnerabilities in all these are known to have been targeted by threat actors, often with dire consequences for hundreds of organizations, as was the case with the SolarWinds, GoAnywhere, and MOVEit attacks. Vulnerable Barracuda, Fortinet, SonicWall, and Cisco appliances are also frequent targets in malicious attacks.