CISA to Scan Agency Networks for Internet-Connected Devices at Risk Under Latest Directive
The Cybersecurity and Infrastructure Security Agency will scan federal agency networks to help them identify any web-connected networked management interfaces that have become a key vulnerability in recent cyber exploits.
CISA outlined its plans as part of a binding operational directive issued today. This follows a warning from Microsoft late last month, later amplified by CISA and other federal agencies, that an alleged Chinese state-sponsored hacking group known…
CISA outlined its plans as part of a binding operational directive issued today. It comes after a warning at the end of last month from Microsoft later amplified by CISA and other federal agencies that an alleged Chinese state-sponsored hacking group known as Volt Typhoon is using network administration tools to infiltrate critical infrastructure networks.
CISA directive, called BOD 23-02 Mitigation of risks related to management interfaces exposed to the Internet, describes how recent threat campaigns underscore the serious risk to federal enterprise posed by misconfigured network devices.
Affected devices include routers, switches, firewalls, and other interfaces that are managed remotely over the web.
Inadequate security, faulty configurations and outdated software make these devices more vulnerable to exploitation, states the CISA directive. The risk is further compounded if the device management interfaces are directly connected to and accessible from the public internet.
Once CISA completes its analyses, it plans to notify agencies of any findings regarding web-connected interfaces.
Agencies then have 14 days after being notified by CISA, or after discovering an Internet-accessible interface on their own, to remove the interface from the Internet, making it accessible only from an internal network. company, says the directive.
Another option, which CISA describes as the preferred action, is to deploy features as part of a Zero Trust architecture that enforce interface access control through a policy enforcement point separate from the interface. interface itself.
CISA will also provide agencies with a reporting interface and standard remediation plan templates if remediation efforts exceed required timelines, the directive adds.
CISA also notes that the directive does not apply to “web-based applications and interfaces used to manage cloud service provider offerings, including but not limited to application programming interfaces or portals. management”.
Concerns have been growing for at least several months about how hackers can take advantage of web-connected management interfaces to stealthily gain access to networks.
In January, threat intelligence firm Mandiant released an opinion detailing how he was tracking an alleged China-nexus campaign that allegedly exploited a zero-day vulnerability in Fortinet security operating systems.
Mandiant warned that the incident perpetuates the Chinese model of exploiting web-connected devices like firewalls and other managed security interfaces.
And in April, CISA and other partner agencies published an opinion detailing how a suspected Russian spy group took advantage of a known vulnerability to gain access to Cisco routers and deploy malware.
Matt Hayden, a former CISA official and currently an executive at General Dynamics Information Technology, said the cyber agency has already been working on a dedicated effort to address vulnerabilities in web-connected management interfaces over the past few months.
They started figuring out what the details on that might be a few months ago and started polling the various networks to see where those devices were, Hayden told Federal News Network. And then Volt Typhoon arrives. And we are starting to see management consoles for security devices being directly abused and publicly attributed to the Chinese government by the federal government.
In its May 24 blog post, Microsoft described how Volt Typhoon has allegedly targeted critical infrastructure targets in Guam and elsewhere in the United States since mid-2021.
In this campaign, the organizations involved span the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology and education sectors, the blog says. The observed behavior suggests that the threat actor intends to eavesdrop and maintain access undetected for as long as possible.
Microsoft also said that Volt Typhoon is getting initial access through internet-connected Fortinet devices.
CISA has already added several Fortinet fixes to the Catalog of known exploited vulnerabilitieswhich means that agencies are required to process them.
But Hayden noted that the latest BOD directs agencies to remove these devices from the internet or provide additional Zero Trust protections whether or not a patch has been applied.
So whatever comes next, whether it’s a Fortinet vulnerability or something else that adds to this known exploited list, we want to make sure we have a buffer, and we let’s reduce the risk of this stunt, Hayden said. At this point, the feds are basically saying don’t connect any of these to the Wild West, simply because there will be unknown vulnerabilities that will come with these in the future, and the exploit is too big.
Although only federal civilian agencies are required to follow the directive and its implementation guidance, CISA notes that other entities may find the content useful.
All of these BODs are used to really signal to the critical infrastructure community and everyone in the security world, Hey, we only have the power to tell the federal authorities to do this. Everyone does it as fast as they can, Hayden said.
