The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations.
In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S.
Default passwords refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor’s product line.
As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to perform post-exploitation actions depending on the type of the system.
“Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary,” MITRE notes.
Earlier this month, CISA revealed that IRGC-affiliated cyber actors using the persona Cyber Av3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords (“1111“).
“In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems,” the agency added.
As mitigation measures, manufacturers are being urged to follow secure by design principles and provide unique setup passwords with the product, or alternatively disable such passwords after a preset time period and require users to enable phishing-resistant multi-factor authentication (MFA) methods.
The agency further advised vendors to conduct field tests to determine how their customers are deploying the products within their environments and if they involve the use of any unsafe mechanisms.
“Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product,” CISA noted in its guidance.
“It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.”
The disclosure comes as the Israel National Cyber Directorate (INCD) attributed a Lebanese threat actor with connections to the Iranian Ministry of Intelligence for orchestrating cyber attacks targeting critical infrastructure in the country amidst its ongoing war with Hamas since October 2023.
The attacks, which involve the exploitation of known security flaws (e.g., CVE-2018-13379) to obtain sensitive information and deploy destructive malware, have been tied to an attack group named Plaid Rain (formerly Polonium).
The development also follows the release of a new advisory from CISA that outlines security countermeasures for healthcare and critical infrastructure entities to fortify their networks against potential malicious activity and reduce the likelihood of domain compromise –
- Enforce strong passwords and phishing-resistant MFA
- Ensure that only ports, protocols, and services with validated business needs are running on each system
- Configure Service accounts with only the permissions necessary for the services they operate
- Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems
- Discontinue reuse or sharing of administrative credentials among user/administrative accounts
- Mandate consistent patch management
- Implement network segregation controls
- Evaluate the use of unsupported hardware and software and discontinue where possible
- Encrypt personally identifiable information (PII) and other sensitive data
On a related note, the U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can adopt in order to harden the software supply chain and improve the safety of their open-source software management processes.
“Organizations that do not follow a consistent and secure-by-design management practice for the open source software they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident,” said Aeva Black, open-source software security lead at CISA.