Censys researchers have discovered hundreds of internet-exposed devices on US federal agency networks that must be secured under a recently released CISA binding operational directive.

An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, spread across more than 100 FCEB agency-related systems .

Of these, more than 1,300 hosts exposed to the Internet are accessible via IPv4 addresses, hundreds of which allow access to the management interfaces of various network devices.

“We discovered nearly 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols such as SSH and TELNET,” Censys said.

“More than 15 instances of exposed remote access protocols such as FTP, SMB, NetBIOS, and SNMP were also found running on hosts linked to FCEB.”

Censys also discovered several servers hosting the MOVEit, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer platforms, known attack vectors in data theft attacks.

Additionally, they identified more than ten hosts with exposed directory listings, posing a data leak risk, as well as Barracuda Email Security Gateway appliances that were recently targeted by zero-day attacks.

Another 150 server instances with end-of-life Microsoft IIS, OpenSSL and Exim software were also spotted by Censys, significantly increasing the attack surface due to lack of security updates.

Order of securing network devices exposed to the Internet

All Internet-exposed management interfaces found by Censys on U.S. federal agency networks must be CISA-secured Binding Operational Directive 23-02 within 14 days of being identified.

CISA also announced that it will research devices and interfaces that fall within the scope of the directive and notify agencies of its findings.

To aid in the remediation process, CISA will also offer technical expertise to federal agencies upon request, providing in-depth review of specific devices and providing guidance on implementing robust security measures.

This proactive approach by CISA is aimed at improving the overall cybersecurity posture of federal agencies and protecting critical infrastructure.

In March, the cybersecurity agency also announced that it would notify critical infrastructure organizations of ransomware-vulnerable devices on their network to help them block ransomware attacks under a new Ransomware Vulnerability Warning Pilot (RVWP) program.

“These internet-exposed devices have long been a low-hanging fruit for threat actors to gain unauthorized access to important assets, and it is encouraging that the federal government is taking this step to proactively improve their threat posture. overall security and that of their adjacent systems,” Censys said.