The Cybersecurity and Infrastructure Security Agency (CISA) said it is working with federal agencies to remove network management tools from the public-facing internet after researchers discovered hundreds were still publicly exposed.
On June 13, CISA issued a directive giving federal civilian agencies two weeks after the discovery of an internet-exposed networked management interface to either remove it from the internet or institute access control measures like zero-trust architecture.
But this week, researchers from security firm Censys said they analyzed the attack surfaces of 50 federal civilian executive branch (FCEB) organizations and sub-organizations, finding “hundreds of publicly exposed devices within the scope outlined in the directive” more than 14 days after it was released.
Hundreds of routers, access points, firewalls, VPNs, and other remote server management technologies from Cisco, Cradlepoint, Fortinet and SonicWall were discovered.
Censys told Recorded Future News that it actively maintains attack surface profiles for several federal agencies and has notified CISA of specific exposures belonging to federal agencies.
“By publishing this research, our objective is to build broader awareness about the risks associated with exposed remote management interfaces, as they are a prime target for threat actors seeking to infiltrate a network,” the researchers said.
When contacted about the findings, CISA officials told The Record that they are supporting agencies to ensure implementation of timely remediation measures under the “binding operational directive,” labeled BOD 23-02, including by leveraging commercial tools for spotting exposed tech.
CISA said it is working closely with agency leadership to ensure adherence to binding operational directives. In its guidance document released two weeks ago, CISA said it plans to scan for interfaces exposed to the internet and notify all agencies of its findings — explaining that the goal of the directive is to “further reduce the attack surface of the federal government networks.”
Dozens of federal civilian agencies expose a variety of the technological tools they use to the internet to make it easier for employees to access them. These products have become a hotbed for hacker activity in recent years due to their ease of discovery and exploitation essentially from anywhere in the world.
Expanded attack surface
Censys officials said that while some tools may be deliberately exposed for various reasons, it is likely that many of them are unintentionally exposed due to misconfigurations, a lack of understanding regarding security best practices, or being connected to forgotten legacy systems.
“Networked management interfaces and remote access protocols (ex: TELNET, SSH) within the scope of [the directive] are typically designed to be accessed securely within private networks,” they said. “When these interfaces are publicly accessible, they needlessly expand an organization’s attack surface and heighten the risk of unauthorized system access.”
Contrast Security’s Tom Kellermann, who previously served as a cybersecurity official within the Obama administration, said many times products are exposed to the internet due to “shadow computing” — wherein employees connect things without permission.
Asset inventories, he noted, need to be continuously updated in an automated fashion to mitigate this risk.
SafeBreach vice president of security research Tomer Bar added that exposed remote management interfaces are one of the most common avenues for attacks by both nation-state hackers and cybercriminals.
James Cochran, director of endpoint security at Tanium, attributed some of the exposed devices to staffing shortages, which he said can cause overworked IT teams to take shortcuts so they can make the management of the network easier.
He noted that it is encouraging that CISA is pushing this effort because it will shine a light on a problem that “most non-technical leadership personnel at the identified agencies don’t fully understand.”
But he criticized the agency for trying to resolve the issue in such a short timeframe.
“This is not a responsible timeline. Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies,” he said. “This is the same as trying to untangle a bunch of wires by sawing through them, instead of taking the time to trace them individually to limit the amount of downtime.”
CISA Director Jen Easterly echoed that assessment earlier this month, writing that hackers “are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise.”
CISA said several recent hacking campaigns have underscored the “grave risk to the federal enterprise posed by improperly configured network devices” — a tacit reference to the ongoing exploitation of the MOVEit file transfer service.
In its blog this week, Censys noted that despite weeks of headlines about vulnerabilities in products including MOVEit, GoAnywhere and some Barracuda Networks hardware, they found multiple instances of these tools exposed to the internet.
The researchers explained that while the process of removing these products from the internet should be simple, it often requires coordination between the teams that use them, causing friction.
“In other cases, there are technical barriers that pose a challenge to already overburdened teams. Regardless of the situation, even when organizations are aware of their exposures, the task of mitigating them often takes a backseat to the more headline-worthy security threats like zero-day vulnerabilities and ransomware campaigns,” they said.
However, the researchers said, “the majority of the security issues we observe are not typically caused by zero-days or advanced attack techniques, but rather misconfigurations and exposures that often stem from simple errors.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.