The US Cybersecurity and Infrastructure Security Agency (CISA) is ADVOCACY manufacturers to completely remove default passwords on systems exposed to the internet, citing serious risks that malicious actors could exploit to first gain access to, and later act on content, organizations.
In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to access of critical US infrastructure systems.
Default passwords refers to the factory default software configurations for embedded systems, devices, and appliances that are generally publicly documented and are the same for all systems within a vendor’s product line.
As a result, threat actors can scan endpoints exposed to the internet using tools like Shodan and attempt to break them through default passwords, often gaining root or administrative access. privileges of take actions after exploitation depending on the type of system.
“Appliances that are preset with a combination of username and password pose a serious threat to organizations that do not change them after installation, as they are an easy target for an adversary,” MITER notes.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
Earlier this month, CISA revealed that IRGC-linked cyber actors using the persona Cyber Av3ngers actively targeted and compromised Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that were publicly exposed in internet by using default passwords (“1111“).
“In these attacks, the default password is widely known and communicated in open forums where threat actors are known to mine intelligence for use in breaching US systems,” added agency.
As mitigation measures, manufacturers are encouraged to follow safe by design principles and providing unique product setup passwords, or alternatively disabling such passwords after a preset period of time and requiring users to enable phishing-resistant multi-factor authentication (M.F.A) methods.
The agency further advises vendors to conduct field tests to determine how their customers deploy products within their environments and whether they involve the use of any insecure mechanisms. .
“The analysis of these field tests helps bridge the gap between the developer’s expectations and actual customer use of the product,” CISA said in its guidance.
“It will also help identify ways to make the product so that customers are most likely to use it safely – manufacturers need to ensure that the quickest route is the safest.”
The disclosure comes as the Israel National Cyber Directorate (INCD) attributed a Lebanese threat actor with connections to the Iranian Ministry of Intelligence for orchestrating cyber attacks targeting the country’s critical infrastructure between ongoing war with Hamas since October 2023.
Attacks, which involve exploiting known security flaws (for example, CVE-2018-13379) to obtain sensitive information and deploy malicious malware, tied to an attack group named Plaid Rain (formerly Polonium).
The development also follows the release of a new advisory from CISA outlining security measures for healthcare and critical infrastructure entities to fortify their networks against potentially malicious activity and reduce the likelihood of domain compromise –
- Implement strong passwords and phishing-resistant MFA
- Ensure that only ports, protocols, and services with validated business needs are running on each system
- Configure Service accounts with only the permissions required for the services they run
- Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems
- Stop reusing or sharing administrative credentials between user/administrative accounts
- Enable consistent patch management
- Implement network segregation controls
- Consider using unsupported hardware and software and stop if possible
- Encrypt personally identifiable information (PII) and other sensitive data
On a related note, the US National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can use to tighten the chain to supply software and improve the safety of their open-source software management processes.
“Organizations that do not follow a consistent and secure-by-design management practice for the open source software they use are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident,” SAYS Aeva Black, open-source software security lead at CISA.