Threat intelligence software vendor Censys recently conducted research that revealed hundreds of exposed devices on federal civilian executive branch organization networks. The findings are particularly concerning in light of CISA’s Binding Operational Directive (BOD) 23-02, which aims to reduce the attack surface created by insecure or misconfigured management interfaces on certain devices within these agencies.
The research conducted by Censys involved analyzing over 50 federal civilian executive branch (FCEB) organizations and suborganizations, encompassing more than 13,000 distinct hosts spread across over 100 autonomous systems associated with these entities. Additionally, over 1,300 FCEB hosts accessible via IPv4 addresses were examined.
During this analysis, researchers discovered hundreds of publicly exposed devices within the scope outlined in BOD 23-02. These exposed devices included managed file transfer products with major known vulnerabilities that have already been exploited, such as MoveIt Transfer and GoAnywhere MFT. Progess Software’s MoveIt Transfer and Fortra’s GoAnywhere MFT were among the products found to have exposed instances with major vulnerabilities.
Furthermore, Censys researchers uncovered exposed physical appliances, including Barracuda Networks’ Email Security Gateway (ESG). In fact, threat actors exploited a critical zero-day flaw that was disclosed last month, prompting Barracuda to advise vulnerable customers to replace their devices immediately.
It is worth noting that the post published by Censys did not provide details on whether the vulnerabilities in Barracuda ESG or MoveIt instances had been patched. When asked about the issue, Censys security researcher Himaja Motheram explained that patch details are not always visible to Censys’ passive scanners. However, she did mention that there has been a decrease in exposures for these vulnerabilities overall, which is an encouraging development.
Nevertheless, the presence of devices like Barracuda ESG and MoveIt within FCEB networks is cause for concern, especially considering the numerous data breaches suffered by government and industry organizations related to MoveIt. Motheram emphasized the importance of taking prompt action in response to these findings and implementing basic security measures, such as restricting access from the public internet and implementing strong passwords and other authentication mechanisms.
In addition to the aforementioned devices, Censys also identified exposed Adaptive Security Device Manager interfaces for Cisco devices, Nessus vulnerability scanning servers, more than 150 instances of end-of-life software, and over 10 hosts running HTTP services that exposed directory listings of file systems, which can lead to sensitive data leakage.
While some of these exposures may be intentional, Motheram believes that most of them are likely the result of misconfigured settings or a lack of risk awareness. While these findings do not warrant immediate panic, they do highlight a broader culture of inadequate security practices. Motheram expressed concerns that these exposures are just the tip of the iceberg and could indicate the presence of deeper and potentially more critical security issues. If any of these exposed devices have weaknesses like default login credentials or ties to known exploited vulnerabilities, they pose a serious threat.
The research conducted by Censys serves as a reminder of the importance of ensuring robust cybersecurity measures within federal organizations. With the increasing sophistication of cyber threats, it is crucial for these agencies to prioritize the implementation of strong security practices to protect sensitive data and mitigate the risks associated with exposed devices.