Censys finds hundreds of exposed devices in federal orgs

Threat intelligence software vendor Censys found hundreds of exposed devices on federal civilian executive branch organization networks, according to research published Monday.

The research primarily concerns CISA's Binding Operational Directive (BOD) 23-02. BOD 23-02 is a directive requiring FCEB agencies to take actions to, according to CISA's website, "reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices." Per the directive, agencies are required to mitigate relevant issues within 14 days of identifying them or submit a plan for doing so.

Censys researchers conducted an analysis of more than 50 FCEB organizations and suborganizations, which included "over 13,000 distinct hosts spread across more than 100 autonomous systems associated with these entities" as well as "over 1,300 FCEB hosts accessible via IPv4 address."

As part of this analysis, researchers found "hundreds of publicly exposed devices within the scope outlined in the directive," according to the company's blog post. Researchers also found multiple instances of exposed managed file transfer products with major known vulnerabilities that have been exploited, such as Progress Software's MoveIt Transfer and Fortra's GoAnywhere MFT.

Censys researchers also discovered exposed physical appliances such as Barracuda Networks' Email Security Gateway (ESG). Threat actors used a critical zero-day flaw disclosed last month to compromise certain devices to such a severe end that Barracuda told vulnerable customers to replace their devices immediately.

The post did not identify whether Barracuda ESG or MoveIt instances were patched, and Censys security researcher Himaja Motheram told TechTarget Editorial that "patch details aren't always visible to Censys' passive scanners." She did say that overall, Censys is seeing reduced exposures for those vulnerabilities.

"From an internet-wide perspective, we have observed hundreds of Barracuda ESG devices and MoveIt file transfer hosts being removed from the public internet over the last month," Motheram said. "While these numbers are encouraging, as the list of organizations impacted by these zero-days continues to grow, we can't overstate the importance of rapid mitigation."

Motheram added that devices outside the directive's scope with known issues, such as MoveIt and ESG, raised "immediate concern."

"The presence of these devices within FCEB networks, particularly after numerous headlines of government and industry organizations suffering MoveIt data breaches, calls for urgent action," she said. "In light of such findings, it is crucial to take proactive steps. Start by gaining a comprehensive understanding of your organization's network and ensure that basic security measures are in place: Restrict access from the public internet and implement strong passwords and other authentication mechanisms."

Censys also found exposed Adaptive Security Device Manager interfaces for Cisco devices, Nessus vulnerability scanning servers, more than 150 instances of end-of-life software and "over 10 hosts running HTTP services exposing directory listings of file systems, a common source of sensitive data leakage."

Motheram said some of the exposures might be intentional, but most are probably the result of misconfigured settings or a lack of risk awareness. She said that while the exposures don't warrant immediate panic, "they're worrisome because they likely indicate a broader culture of inadequate security practices."

"They're likely just the tip of the iceberg, suggesting the existence of deeper and potentially more critical security issues," Motheram said. "For example, if any of these exposed devices have weaknesses like default login credentials or ties to known exploited vulnerabilities, they pose a serious threat."

Alexander Culafi is a writer, journalist and podcaster based in Boston.