- The US Cybersecurity and Infrastructure Security Agency (CISA) has urged manufacturers to cease using default passwords on internet-connected systems due to the high security risks they present.
- CISA highlighted a recent incident where Iranian threat actors tied to the Islamic Revolutionary Guard Corps exploited devices using default passwords to gain access to vital US infrastructure systems.
- The agency recommends adopting secure by design principles, including providing unique setup passwords or disabling default ones after a certain time, alongside enabling phishing-resistant multi-factor authentication methods.
Default passwords, typically publicly documented and often identical across a company’s product range, are easily exploitable. Threat actors can use tools like Shodan to scan for devices exposed on the internet and breach them using these default passwords. This often results in gaining administrative privileges. Overcoming these vulnerabilities involves manufacturers adopting the secure by design principles suggested by CISA, such as providing unique setup passwords for each product or disabling default passwords after a certain period.
Additionally, by using multi-factor authentication methods, users can help protect themselves against phishing and other types of cyberattacks. Manufacturers are also advised to conduct field tests to understand how their products are deployed by consumers and identify potential unsafe mechanisms. Addressing this disparity between developer expectations and actual consumer usage is key for ensuring that secure practices are also the most straightforward.
In another alert, CISA, alongside the FBI, NSA, Poland’s Military Counterintelligence Service, CERT Polska, and the UK’s National Cyber Security Centre, have issued warnings about Russian Foreign Intelligence Service-affiliated actors exploiting CVE-2023-42793 at scale. This has been targeting servers hosting JetBrains TeamCity software from as early as September 2023. The NSA, Office of the Director of National Intelligence, and CISA have jointly published recommended practices for enhancing the security of software supply chains and the management processes of open-source software.
As a concluding input, Aeva Black, CISA Open Source Software Security Lead, suggests that “Organisations that do not follow a consistent and secure-by-design management practice for the open source software they utilise are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident.” CISA, through collaborating with NSA, ODNI, and industry partners, hopes that their guide helps organisations improve the safety and security of their open source software management practices.