The attack surface management company, Censys, has detected several hundred devices located within the network of federal bodies that display management interfaces exposed to the internet.
The company performed an examination of over 50 federal civilian executive branch (FCEB) organizations and sub-organizations and found more than 13,000 unique hosts across 100 autonomous systems.
Further investigation into these hosts, accessible through IPv4 addresses, demonstrated hundreds of devices having management interfaces open to the public internet, under the jurisdiction of CISA’s Binding Operational Directive (BOD) 23-02.
Designed to assist federal agencies in reducing the dangers linked to internet-revealed management interfaces, BOD 23-02 provides recommendations for safeguarding interfaces remotely accessible and often a target for malevolent attacks.
CISA noted that threat actors are focusing on specific types of devices that sustain network infrastructures to avoid detection. Once these devices are compromised, attackers frequently gain complete network access.
“Insufficient security, faulty configurations, and obsolete software make these devices more susceptible to exploitation. The risk is even more significant if the device management interfaces are directly connected to, and accessible from, the internet facing the public,” reads CISA’s BOD 23-02.
Censys inspected devices such as access points, firewalls, routers, VPNs, and other remote server management appliances. The company found over 250 hosts with exposed interfaces operating remote protocols like SSH and Telnet.
“Among these were several Cisco network devices with open Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces revealing wireless network specifics, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances,” reports Censys.
In addition, the company discovered exposed remote access protocols (FTP, SMB, NetBIOS, and SNMP), out-of-band remote server management devices, managed file transfer utilities (including MOVEit, GoAnywhere, and SolarWinds Serv-U), HTTP services revealing directory listings, Nessus vulnerability scanning servers, physical Barracuda Email Security Gateway appliances, and over 150 cases of end-of-life software.
These vulnerabilities are known to have been exploited by threat actors, often leading to severe consequences for numerous organizations, as witnessed in the SolarWinds, GoAnywhere, and MOVEit attacks. Vulnerable Barracuda, Fortinet, SonicWall, and Cisco appliances are also common targets in malicious attacks.
Related: CISA Directs Federal Agencies to Fortify Internet-Exposed Devices
Related: Vital ConnectWise Vulnerability Impacts Thousands of Internet-Exposed Servers
Related: About 30k Internet-Exposed QNAP NAS Devices Suffer from Recent Vulnerability