Dealing with exposed management interfaces.

Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. Researchers at Censys have discovered hundreds of qualifying devices that will need to be secured in order to comply with the directive:

“Censys researchers conducted analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations. Throughout our investigation, we discovered a total of over 13,000 distinct hosts spread across more than 100 autonomous systems associated with these entities. Examining the services running on these hosts, Censys found hundreds of publicly exposed devices within the scope outlined in the directive.”

The researchers add, “In the course of our research, we discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET. Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.”

Industry comments with measured alarm.

Tomer Bar, VP of Security Research at SafeBreach, commented:

“The discovery of all of these internet exposed devices violating the new CISA directive is alarming. Nation-state and threat actors actively target exposed devices with remote management interfaces because of how easy it is to achieve initial access. Unlike spear-phishing and other client-side attacks, this attack vector does not require any action on the part of the victim, making it much easier to achieve and exploit. It reminds us of the importance of self-checks like scanning and actively enumerating your own network. Moreover, when U.S. federal agencies leave internet-exposed devices unsecured, threat actors can also achieve malicious DDoS attacks, crypto-mining, supply chain attacks, waterhole attacks and many other possibilities.

“The new CISA directive giving federal civilian agencies two weeks to either remove an internet-exposed device or institute access control methods, is an important but small step. It’s a basic cyber hygiene action that in reality, should have already been implemented. We strongly recommend federal agencies and any public facing enterprises prioritize enhancing the overall security of their networks and protect sensitive data from unauthorized access and cyber threats. This can be done by implementing a continuous security evaluative process, allowing these agencies and enterprises to verify that their risk posture is low and that all misconfiguration and security holes are fixed before they can be taken advantage of. Stay up to date on any new gaps within your organization and minimize your exposure duration to prevent exploitation.”

Ron Fabela, Field CTO at XONA Systems, noted:

“Before CISA's formation, DHS/NCCIC released binding directives in the past, specifically BOD 16-02, ‘Threat to Network Infrastructure Devices,’ which had network device exposure and vulnerabilities as a top concern for the agency. Any system exposed to the internet is at risk for exploitation, such as the ongoing widespread MoveIT exploitation campaign. However, the exposure of management interfaces for these perimeter devices is exceptionally high risk due to providing ‘keys to the kingdom’ access to the systems designed to restrict access to internal networks. While fewer management interfaces may be exposed to the public internet than before, CISA is taking a solid stance with this binding directive.

“Removing these management interfaces from the internet may cause a degradation in remote management capability for both organizations and their managed service, which could hinder compliance with the 14-day turnaround. The alternative to ‘implement zero trust access control,’ such as MFA, may be a stopgap to compliance while maintaining remote operations but only increases security controls of account access, not addressing vulnerabilities of the exposed remote services. Critical RCE (remote code execution) vulnerabilities affecting these same internet-exposed network devices are a common attack path when phishing and user access options are unsuccessful. For example, the recent MoveIT exploitation campaign would have been improved by implementing zero trust concepts for user access.

“CISA has authority over Federal Civilian Executive Branch Agencies (FCEB). These directives feel like ‘enough is enough ‘ to start shoring up cyber security. Restricting or removing internet-facing management access seems like a no-brainer, but it was prevalent enough for CISA to require agencies to take action. Reducing the attack surface for your systems, especially critical systems such as network devices and industrial control, is imperative.”