Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations and discovered more than 13,000 distinct hosts across 100 autonomous systems.
The experts focused on roughly 1,300 of these hosts that were accessible online and discovered hundreds of devices with management interfaces exposed to the public internet.
These devices clearly are not compliant with the BOD 23-02 directive released in June by the US CISA with the objective of mitigating the risks associated with remotely accessible management interfaces.
“The Directive requires federal civilian executive branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices.” states CISA.
Censys specifically looked for publicly accessible remote management interfaces associated with networked devices, including routers, access points, firewalls, VPNs, and other remote server management technologies.
“In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET.” reads the analysis published by Censys. “Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.”
The researchers discovered 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP that were running on hosts exposed by Federal Civilian Executive Branches (FCEB). These protocols are known to be plagued by multiple security vulnerabilities that can be exploited by threat actors to compromise them and gain remote unauthorized access to government infrastructure.
The report also states that multiple out-of-band remote server management devices such as Lantronix SLC console servers were exposed only despite CISA’s directive stating that “these out-of-band interfaces should never be directly accessible via the public internet.”
The study also revealed that multiple federal civilian executive branch were exposing managed file transfer tools, such as MOVEit transfer, GoAnywhere MFT, VanDyke VShell file transfer, and SolarWinds Serv-U file transfer. These devices are often the targets of attacks from different threat actors.
“Exposed physical Barracuda Email Security Gateway appliances, which recently made headlines after a critical zero day was discovered being actively exploited to steal data” concludes the report. “Over 150 instances of end-of-life software, including Microsoft IIS, OpenSSL, and Exim. End-of-life software is more susceptible to new vulnerabilities and exploits because it no longer receives security updates, making it an easy target.”
According to BOD 23-02, FCEB agencies have to secure the devices within 14 days of identifying one of these devices.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, internet-exposed management interfaces)