50 US Agencies Using Unsecured Devices, Violating PolicyResearchers Say Routers, Access Points, Firewalls, VPNs Could Expose Federal Data
Security researchers at Censys found hundreds of federally owned devices at 50 different agencies exposed to the internet, accessible through IPv4 addresses and loaded with potentially vulnerable MOVEit and Barracuda Networks' ESG software. The vulnerabilities violate a recently released CISA policy, the firm said.
Threat intelligence provider Censys found 13,000 distinct hosts across hundreds of autonomous systems at risk at federal civilian agencies - including routers, access points, firewalls, VPNs and other remote server management technologies.
These attack surfaces violate the Cybersecurity and Infrastructure Security Agency's Binding Operational Directive released in June.
The directive aims to mitigate risks linked to remotely accessible management interfaces for federal agencies. It obligates federal civilian organizations to eliminate specific networked management interfaces from the internet by mandating a zero trust architecture to enforce access control for internet-exposed interfaces within 14 days of their identification.
Researchers also found around 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and Telnet.
Censys discovered exposed Adaptive Security Device Manager interfaces for Cisco devices, vulnerability scanning servers using Nessus, and more than 150 instances of end-of-life software. They also identified more than 10 hosts running HTTP services that exposed directory listings of file systems - a common cause of potential data leakage involving sensitive information.
"Exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure," Censys said.
Researchers also found multiple instances of exposed managed file transfer tools that have been highly exploited, such as MOVEit, GoAnywhere MFT, VanDyke VShell, and SolarWinds Serv-U file transfer software. They also observed exposed physical appliances such as Barracuda Networks' Email Security Gateway.