The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to completely eliminate preset passwords on systems exposed to the Internet, citing serious risks that malicious actors could exploit to gain initial access to an organization and perform additional operations within the organization. Lateral movement within.
In an alert issued last week, the agency accused Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) of using operational technology devices with preset passwords to gain access to U.S. critical infrastructure systems.
Default passwords refer to factory-preset software configurations of embedded systems, devices, and devices that are typically publicly documented and are the same across all systems within a vendor’s product line.
Therefore, threat actors can use tools such as Shodan to scan endpoints exposed on the network and attempt to compromise them via default passwords, often gaining root or administrative privileges to perform post-attack operations, depending on the type of system.
“Devices that are pre-populated with username and password combinations pose a serious threat to organizations that do not change the username and password combination after installation, as they can be easily targeted by adversaries,” MITER noted.
Earlier this month, CISA revealed that IRGC-affiliated cyber attackers using the Cyber Av3ngers role were actively targeting and compromising Israeli-made Unitronics Vision series programmable logic controllers (PLCs) by using default Passwords publicly exposed on the Internet (“1111”).
“In these attacks, preset passwords were widely known and exposed in public forums where threat actors mined intelligence for use in compromising U.S. systems,” the agency added.
As a mitigation measure, we urge manufacturers to follow secure design principles and provide products with unique setup passwords or disable such passwords after a preset period of time and require users to enable multi-factor authentication to prevent phishing ( MFA ) method.
The agency further recommends that vendors conduct field testing to determine how their customers deploy the products in their environments and whether the use of any unsafe mechanisms is involved.
“Analysis of these field tests will help bridge the gap between developer expectations and actual customer use of the product,” CISA states in its guidance.
“It will also help determine ways to build a product so that customers are most likely to use it safely – manufacturers should ensure that the easiest route is the safe route.”
The disclosure comes as Israel’s National Cyber Authority (INCD) believes a Lebanese threat actor with ties to Iran’s intelligence ministry masterminded attacks against key targets in the country amid ongoing fighting with Hamas since October 2023. Cyberattacks on infrastructure.
These attacks involve exploiting known security vulnerabilities, such as CVE-2018-13379, to obtain sensitive information and deploy destructive malware, and are associated with an attack group called Plaid Rain (formerly Polium).
This follows the release of a new advisory from CISA outlining security countermeasures for healthcare and critical infrastructure entities to harden their networks against potential malicious activity and reduce the potential for domain compromise –
- Implement strong passwords and anti-phishing MFA
- Ensure that only the ports, protocols, and services that are validated for business requirements are running on each system
- Configure a service account with only the permissions required by the service it runs
- Change all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems
- Stop reusing or sharing administrative credentials between user/admin accounts
- Enforce consistent patch management
- Implement network isolation controls
- Evaluate the use of unsupported hardware and software and discontinue use where possible
- Encrypt personally identifiable information (PII) and other sensitive data
Relatedly, the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA released a recommended list of practices organizations can adopt to strengthen software supply chains and improve software security. Their open source software management process.
“Organizations that do not follow consistent and secure design management practices for the open source software they use are more likely to be vulnerable to known vulnerabilities in open source software packages and have more difficulty responding to incidents,” said Aeva Black , Director of Open Source Software Security at CISA.