The Cybersecurity and Infrastructure Security Agency (CISA) has made a significant discovery regarding government networks. Researchers have found hundreds of devices running on government networks that expose remote management interfaces on the open web. In response, CISA has released Binding Operational Directive (BOD) 23-02 with the goal of eliminating these internet-exposed management interfaces within Federal Civilian Executive Branch (FCEB) agency networks. However, some experts have expressed concerns about the speed at which this change is being implemented.
The release of BOD 23-02 came shortly after CISA’s advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that used Fortinet FortiGuard devices in espionage campaigns against US government entities. In an effort to gauge the significance of BOD 23-02, researchers at Censys conducted scans of the internet for devices exposing management interfaces in federal civilian executive branch agencies. These scans revealed nearly 250 qualifying devices, as well as other network vulnerabilities that fell outside the scope of BOD 23-02.
Himaja Motheram, a security researcher for Censys, expressed concerns about the findings, stating, “While this level of exposure probably doesn’t warrant an immediate panic, it’s still worrisome because it could be just the tip of the iceberg. It suggests that there may be deeper and more critical security issues if this kind of basic hygiene isn’t being met.”
Devices qualifying under BOD 23-02 include routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out-of-band server management interfaces. These devices must be using network protocols for remote management over the public internet to fall under the directive. Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found numerous instances of exposed remote access protocols running on FCEB-related hosts.
The search also revealed federal network vulnerabilities beyond the scope of BOD 23-02, such as exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software. Motheram highlighted that organizations often underestimate their level of exposure and fail to understand the implications. She emphasized that amateur threat actors could easily find this unprotected gear, raising concerns about potential security breaches.
Why are so many devices exposed on highly scrutinized government networks? Joe Head, CTO of Intrusion, pointed to several reasons, including convenience, lack of operational security awareness, lack of respect for adversaries, and the use of default or known passwords. James Cochran, director of endpoint security at Tanium, added that staffing shortages could cause overworked IT teams to take shortcuts for easier network management. Furthermore, the unique traps present in government networks, such as limited oversight and merging/expandings agencies, can contribute to the problem. Cochran stated, “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why.”
In response to the discovery of these exposed devices, CISA’s BOD 23-02 directive will begin scanning for qualifying devices and informing the responsible agencies. These agencies will have 14 days to either disconnect the devices from the web or deploy capabilities, as part of a zero-trust architecture, to enforce access control to the interface. However, some experts believe that the timeline provided by CISA is unreasonable, given the widespread nature of the issue. Cochran argues that this short duration could have significant impacts on the identified agencies. Other experts support CISA’s approach, stating that it is necessary to correct a practice that should never have been carried out in the first place.
In conclusion, the discovery of hundreds of devices on government networks exposing remote management interfaces has prompted the release of CISA’s BOD 23-02 directive. While the exact number of exposed devices may only represent the tip of the iceberg, this finding highlights the need for improved security practices within government networks. With the implementation of BOD 23-02, agencies will need to act quickly to secure their systems, although challenges may arise due to bureaucratic processes and operational complexities. The broader industry response to this directive remains divided, with some experts advocating for even stricter measures and tighter timelines, while others express concerns about the feasibility of the provided timeline given the scale of the issue.