The U.S. government agency in charge of cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA), has issued a directive for all federal agencies to take additional measures to restrict access to Internet-exposed networking equipment. This move comes in response to a wave of attacks targeting previously unknown vulnerabilities in widely used security and networking appliances.
Under the new order, federal agencies will have 14 days to respond to any reports from CISA about misconfigured or Internet-exposed networking equipment. The directive applies to devices such as firewalls, routers, and load balancers that allow remote authentication or administration. Federal departments are required to limit access so that only authorized users on an agency’s local or internal network can reach the management interfaces of these devices.
This directive from CISA comes after a series of incidents where attackers exploited zero-day flaws in popular networking products to launch ransomware and cyber espionage attacks. One recent incident involved Chinese cyber spies exploiting a zero-day vulnerability in email security gateway (ESG) appliances sold by Barracuda Networks. The hackers were able to access and obtain email communications from organizations using these devices. Barracuda Networks responded by offering to replace compromised ESGs, as the malware had altered the systems in a way that prevented remote software updates.
Another ongoing exploitation involves a zero-day flaw in virtual private networking (VPN) products made by Fortinet. These devices are used by many organizations to enable remote network access for employees. Fortinet released security updates to address the vulnerability, which allowed attackers to run malware on any Fortinet SSL VPN appliance. The company confirmed that the vulnerability is actively being exploited. Shodan.io, a search engine for Internet of Things devices, reports that over half a million vulnerable Fortinet devices are reachable via the public Internet.
To address these vulnerabilities, CISA’s directive orders agencies to remove any networking device management interfaces from the internet and allow access only from internal enterprise networks. The directive also recommends deploying capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself.
Security experts emphasize that the increasing risks posed by cyberspies and ransomware groups make it imperative for organizations to avoid exposing devices to the public Internet. Ransomware groups, in particular, frequently exploit zero-day flaws in popular file-transfer protocol (FTP) applications. They use these vulnerabilities to extort money from victims, as seen in the case of Cl0p, a ransomware gang that exploited a zero-day vulnerability in GoAnywhere FTP appliances by Fortra.
While organizations are advised to avoid using FTP appliances, mid-tier networking devices like Barracuda ESGs and Fortinet SSL VPNs pose a challenge due to their prominence in small to mid-sized organizations. Experts acknowledge that it is not feasible for enterprises to turn off VPNs, highlighting the need for better solutions and security-hardened remote access tools.
The COVID-19 pandemic has exacerbated the reliance on outdated networking appliances, which were not designed with current threat models in mind. As organizations scrambled to enable remote work, the availability of newer, more secure options was limited. This has extended the life of companies like Fortinet and Barracuda, but it also highlights the urgent need for more resilient and secure technologies.
In response to these challenges, the directive from CISA aims to improve the cybersecurity posture of federal agencies by emphasizing the need to restrict access to Internet-exposed networking equipment. However, addressing the broader issue of vulnerable networking devices will require industry-wide efforts to develop and deploy more secure and resilient solutions.