Hundreds of devices found violating new CISA federal agency directive

Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive.

An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.

Of these, Censys discovered hundreds allowing access to the management interfaces of various network appliances.

"We discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET," Censys said.

"Over 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP were also found running on FCEB-related hosts."

Censys also discovered multiple servers hosting MOVEit transfer, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer platforms, known attack vectors in data theft attacks.

Additionally, they identified over ten hosts with exposed directory listings, posing a risk of data leakage, as well as Barracuda Email Security Gateway appliances that were recently targeted in zero-day attacks.

Another 150 instances of servers with end-of-life Microsoft IIS, OpenSSL, and Exim software were also spotted by Censys, significantly increasing the attack surface due to the lack of security updates.

Order to secure Internet-exposed network devices

All Internet-exposed management interfaces found by Censys on the networks of U.S. federal agencies have to be secured according to CISA's Binding Operational Directive 23-02 within 14 days after being identified.

CISA also has announced that it will scan for devices and interfaces that fall within the scope of the directive and will inform the agencies about its findings.

To assist with the remediation process, CISA will also offer technical expertise to federal agencies upon request, ensuring a thorough review of specific devices and providing guidance on implementing robust security measures.

This proactive approach by CISA aims to enhance the overall cybersecurity posture of federal agencies and safeguard critical infrastructure.

In March, the cybersecurity agency also announced that it would warn critical infrastructure organizations of ransomware-vulnerable devices on their network to help them block ransomware attacks as part of a new Ransomware Vulnerability Warning Pilot (RVWP) program.

"These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it's encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems," Censys said.