The US Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to abandon default passwords on internet-exposed systems, due to the severe risks posed by malicious actors. Here are the key points:
- Operational technology devices are being exploited by Iranian threat actors linked to the Islamic Revolutionary Guard Corps (IRGC), who use default passwords to gain access to critical US infrastructure systems.
- Default passwords are publicly documented and identical across a vendor’s product line, making them an easy target for exploitation.
- CISA suggests manufacturers to follow secure by design principles and provide unique setup passwords or disable default passwords after a set time period.
- Users should enable multi-factor authentication (MFA) methods to protect themselves against phishing, according to CISA.
- Manufacturers should conduct field tests to understand how customers deploy their products and identify any unsafe mechanisms.
- CISA, along with the FBI, NSA, Polish Military Counterintelligence Service (SKW), CERT Polska, and the UK’s National Cyber Security Centre (NCSC), released a joint advisory warning about Russian Foreign Intelligence Service (SVR)-affiliated actors exploiting CVE-2023-42793.
- The agencies have also published recommended practices to enhance software supply chain security and open-source software management processes.
CISA’s recommendations aim to bridge the gap between developer expectations and actual customer usage to ensure that the easiest route is also the secure one. Their warning was spurred by an alert highlighting attacks by IRGC-affiliated cyber actors targeting publicly exposed Israeli-made Unitronics Vision Series PLCs using default passwords. Threat actors, possessing tools such as Shodan, can scan for internet-exposed endpoints and breach them through default passwords, often gaining administrative access.
Cybersecurity threats are expected to increase, particularly ahead of Western elections next year. CISA hopes that their proactive guidance will help to mitigate these risks and improve the overall safety and security of open-source software management practices in organisations of all sizes.
Issuing this warning to practitioners in the field, Aeva Black, CISA Open Source Software Security Lead, warned that organizations that do not follow a secure-by-design management practice for the open-source software they utilize are more likely to become vulnerable to known exploits and struggle to react appropriately to an incident.