The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently asked manufacturers to remove default passwords from their systems on the internet. The agency cites serious dangers that might be used by hackers to obtain initial access to an organization and move edgewise within it.
Also, the CIA denounced Iranian hackers connected to the Islamic Revolutionary Guard Corps (IRGC) in a warning released last week for using operational technology devices that have default passwords to access vital infrastructure systems in the United States.
Default passwords are the factory default software configurations for embedded systems & devices that are similar across all systems in a vendor’s product range and are usually publicly documented.
As a result, hackers may use programs, like Shodan, to search for internet-exposed endpoints and try to breach them using default passwords. Depending on the kind of system, they could then frequently obtain root or administrator access to carry out post-exploitation operations.
"Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary," says MITRE.
In order to mitigate the risk, manufacturers are urged to implement "Secure by Design Principles", and include unique setup passwords with the product, or disable the passwords after a predetermined amount of time. In addition, they have also been asked to mandate that users enable multi-factor authentication techniques that are resistant to phishing attempts.
Not only this, CISA has recommended the vendors carry out field tests to check if their clients are implementing the items in their settings and whether any risky techniques are being used. CISA stated in its advice "Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product."
"It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one."
The announcement coexists with the accusation made by the Israel National Cyber Directorate (INCD) against a Lebanese hacker linked to the Iranian Ministry of Intelligence. The accusation was made of planning cyberattacks against the nation’s vital infrastructure during its protracted conflict with Hamas.
Hackers’ group, known as Plaid Rain, have been linked to the attacks. It uses known security holes (such as CVE-2018-13379) to gather sensitive data and install malicious malware.
Also, the development follows the release of CISA's new advisory that outlines security measures for healthcare and infrastructure to fortify their networks against possible malicious activities and minimize the probability of domain compromise:-
- Enforce MFA which is resistant to phishing attacks and secure passwords.
- Change the default passwords for operating systems, routers, firewalls, access points, etc.
- Configure service accounts with only the permissions required for the services they run.
- Stop exchanging or reusing administrative credentials between user and administrator accounts.
- Require regular patch management and network segregation measures.
- Examine and, if feasible, stop using unsupported hardware and software.
- Encrypt sensitive data, including personally identifying information (PII).
In a related vein, the Office of the Director of National Intelligence (ODNI), CISA, and the U.S. The National Security Agency (NSA) has released a set of suggested practices that companies can implement to strengthen the security of their open-source software management procedures and harden the software supply chain.
“Organizations that do not follow a consistent and secure-by-design management practice for the open source software they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident,” said Aeva Black, open-source software security lead at CISA.