CISA’s message: Drop default passwords, manufacturers!

December 18, 2023
1 min read

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to abandon default passwords on internet-exposed systems, due to the severe risks posed by malicious actors. Here are the key points:

  • Operational technology devices are being exploited by Iranian threat actors linked to the Islamic Revolutionary Guard Corps (IRGC), who use default passwords to gain access to critical US infrastructure systems.
  • Default passwords are publicly documented and identical across a vendor’s product line, making them an easy target for exploitation.
  • CISA suggests manufacturers to follow secure by design principles and provide unique setup passwords or disable default passwords after a set time period.
  • Users should enable multi-factor authentication (MFA) methods to protect themselves against phishing, according to CISA.
  • Manufacturers should conduct field tests to understand how customers deploy their products and identify any unsafe mechanisms.
  • CISA, along with the FBI, NSA, Polish Military Counterintelligence Service (SKW), CERT Polska, and the UK’s National Cyber Security Centre (NCSC), released a joint advisory warning about Russian Foreign Intelligence Service (SVR)-affiliated actors exploiting CVE-2023-42793.
  • The agencies have also published recommended practices to enhance software supply chain security and open-source software management processes.

CISA’s recommendations aim to bridge the gap between developer expectations and actual customer usage to ensure that the easiest route is also the secure one. Their warning was spurred by an alert highlighting attacks by IRGC-affiliated cyber actors targeting publicly exposed Israeli-made Unitronics Vision Series PLCs using default passwords. Threat actors, possessing tools such as Shodan, can scan for internet-exposed endpoints and breach them through default passwords, often gaining administrative access.

Cybersecurity threats are expected to increase, particularly ahead of Western elections next year. CISA hopes that their proactive guidance will help to mitigate these risks and improve the overall safety and security of open-source software management practices in organisations of all sizes.

Issuing this warning to practitioners in the field, Aeva Black, CISA Open Source Software Security Lead, warned that organizations that do not follow a secure-by-design management practice for the open-source software they utilize are more likely to become vulnerable to known exploits and struggle to react appropriately to an incident.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.