CISA to scan agency networks for risky web-connected devices under latest directive

The directive comes after suspected China state-backed hackers allegedly used network administration tools to access critical infrastructure systems.

The Cybersecurity and Infrastructure Security Agency will scan the networks of federal agencies to help them identify any web-connected “networked management interfaces” that have become a key vulnerability in recent cyber exploits.

CISA laid out its plans under a binding operational directive issued today. It comes in the wake of a warning late last month from Microsoft — later amplified by CISA and other federal agencies — that an alleged Chinese state-sponsored hacking group, known as “Volt Typhoon,” has been using network administration tools to infiltrate critical infrastructure networks.

CISA’s directive, called BOD 23-02 “Mitigating the Risk from Internet-Exposed Management Interfaces,” describes how “recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices.”

Devices of concern include routers, switches, firewalls and other interfaces that are managed remotely over the web.

“Inadequate security, misconfigurations and out of date software make these devices more vulnerable to exploitation,” the CISA directive states. “The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet.”

Once CISA completes its scans, it plans to notify agencies of any findings regarding web-connected interfaces.

Agencies then have 14 days after being notified by CISA, or after discovering an internet-accessible interface on its own, to “remove the interface from the internet by making it only accessible from an internal enterprise network,” the directive states.

Another option, which CISA describes as the “preferred action,” is to deploy capabilities as part of a zero trust architecture “that enforce access control to the interface through a policy enforcement point separate from the interface itself.”

CISA also will provide agencies with “a reporting interface and standard remediation plan templates if remediation efforts exceed required timeframes,” the directive adds.

CISA also notes that the directive does not apply to “web applications and interfaces used for managing Cloud Service Provider offerings including but not limited to, Application Programming Interfaces or management portals.”

Concerns have been mounting for at least several months around how nation-state cyber actors have been increasingly taking advantage of web-connected management interfaces to stealthily access networks.

And as early as 2021, CISA began publishing advisories warning of vulnerabilities in management interfaces and devices, first with Ivanti’s Pulse Connect Secure products and then with ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

Last October, CISA published an advisory warning IT administrators to not expose management interfaces to the internet. The advisory detailed how hackers were actively exploiting a vulnerability in F5 Networks BIG-IP application service via the management port.

In January, threat intelligence firm Mandiant released an advisory detailing how it was tracking a “suspected China-nexus campaign” believed to have exploited a zero-day vulnerability in Fortinet security operating systems.

Mandiant warned the incident “continues China’s pattern” of exploiting web-connected devices like firewalls and other managed security interfaces.

And in April, CISA and other partner agencies released an advisory detailing how a suspected Russian espionage group had taken advantage of a known vulnerability to access Cisco devices and deploy malware.

Matt Hayden, a former CISA official and currently an executive at General Dynamics Information Technology, said the cyber agency had already been working on a dedicated effort to address vulnerabilities in web-connected management interfaces for the past several months.

“They started to work out what the details may be on this a couple months ago, and started doing some querying of the different networks to see where these devices were,” Hayden told Federal News Network. “And then Volt Typhoon happens. And we start to see management consoles for security devices getting directly abused and attributed to the Chinese government by the federal government publicly.”

In its May 24 blog, Microsoft described how Volt Typhoon has allegedly targeted critical infrastructure targets in Guam and “elsewhere in the United States” since mid-2021.

“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors,” the blog states. “Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”

Microsoft also said Volt Typhoon gains initial access through internet-facing Fortinet devices.

CISA has already added several Fortinet patches to the Known Exploited Vulnerabilities Catalog, meaning agencies are required to address them.

But Hayden noted the latest BOD directs agencies to remove such devices from the internet or provide the additional “zero trust” protections, regardless of whether a patch has been applied or not.

“So that no matter which application is next, whether it be a Fortinet vulnerability or something else that adds to that known exploited list, we want to make sure that we have a buffer, and we’re buying down the risk of that cascading,” Hayden said. “At this point, the federal government is basically saying, ‘Don’t connect any of these to the wild west,’ just because there are going to be unknown vulnerabilities that will come in the future with these, and the exploit is too great.”

While only federal civilian agencies are required to follow the directive and its implementation guidance, CISA notes that “other entities may find the content useful.”

“All these BODs are being used to really signal to the critical infrastructure community and everyone out there in the security world, ‘Hey, we only have authority to tell the feds to do this. Everybody do this as fast as possible,’” Hayden said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Amelia Brust/Federal News Network)

    CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge

    Read more
    Amelia Brust/Federal News NetworkCDM

    ‘Groundbreaking’ CISA directive to overhaul cyber vulnerability management process

    Read more