Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Threat Landscape
Vulnerabilities

Censys researchers identify over 13,000 FCEB hosts with exposed network appliances

June 28, 2023
Censys researchers identify over 13,000 FCEB hosts with exposed network appliances

In a recent study conducted by Censys, it was found that over 50 FCEB (federal civilian executive branch) organizations and sub-organizations had nearly 250 instances of web interfaces for hosts that exposed network appliances. The research sheds light on the potential vulnerability of these organizations’ remote management interfaces, running protocols like SSH and TELNET. 

The data focuses on the internet-facing networked device systems that were also addressed in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) latest binding operational directive, BOD 23-02, released earlier this month.

Censys also discovered additional significant security issues on these hosts beyond the purview of the BOD 23-02. Some of those security issues include exposed managed file transfer tools, hosts running HTTP services that expose directory listings, and exposed Nessus vulnerability scanning servers and physical Barracuda email security gateway appliances.

“Throughout our investigation, we discovered a total of over 13,000 distinct hosts spread across more than 100 autonomous systems associated with these entities,” Censys disclosed in a post this week. “Examining the services running on a subset of over 1,300 FCEB hosts accessible via IPv4 address, Censys found hundreds of publicly exposed devices within the scope outlined in the directive.”

Over 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP were also found running on FCEB-related hosts. These protocols have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure.

Censys said that among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and several firewall solutions including Fortinet Fortiguard and SonicWall appliances.

The Censys disclosure follows the BOD 23-02 that calls upon federal agencies to secure Internet-exposed management interfaces. It requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet and also suggests implementing zero-trust architecture capabilities that enforce access control to the interface within 14 days of discovery. The agency said that it will start scanning federal agencies for vulnerable network devices and further require them to either disconnect these devices from the internet or tighten access controls.

Censys also mentioned multiple out-of-band remote server management devices such as Lantronix SLC console servers. An ‘out of band server management interface’ refers to proprietary interfaces used for remote control of servers that are accessed via a dedicated network connection. CISA does not limit this definition to one specific vendor, and these ‘out of band’ interfaces should never be directly accessible via the public internet. 

Censys also identified additional serious security flaws in other domains, including exposed managed file transfer tools, hosts hosting HTTP services that exposed directory listings, and exposed Nessus vulnerability scanning servers. The researchers revealed multiple instances of exposed managed file transfer tools, such as MOVEit Transfer, GoAnywhere MFT, VanDyke VShell file transfer, and SolarWinds Serv-U file transfer. Managed file transfer services are often targeted in data theft attacks due to the sensitive nature of the data they handle.

“Over 10 hosts running HTTP services exposing directory listings of file systems, a common source of sensitive data leakage,” the post added.

Censys also determined that exposed Nessus vulnerability scanning servers, which are designed to pinpoint weaknesses in internal networks and thereby become a target as a source of network intel and springboard for future attacks. “Exposed physical Barracuda Email Security Gateway appliances, which recently made headlines after a critical zero-day was discovered being actively exploited to steal data,” they added.

The researchers further disclosed that over 150 instances of end-of-life software, including Microsoft IIS, OpenSSL, and Exim. End-of-life software is more susceptible to new vulnerabilities and exploits because it no longer receives security updates, making it an easy target.

Earlier this month, cybersecurity agencies published a guide to help network administrators and defenders secure remote access software, delivering a collaborative effort and providing an overview of common exploitations and associated tactics, techniques, and procedures (TTPs) used by cyber hackers. The document also provided the industry with recommendations to IT/ OT (operational technology) and ICS (industrial control systems) professionals and organizations on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights