Critical cyber threats persist on federal networks despite recent directives

A new report from security firm Censys found that many internet-connected devices on federal networks remain vulnerable to potential cyberthreats.

A new report from security firm Censys found that many internet-connected devices on federal networks remain vulnerable to potential cyberthreats. Oscar Wong / Getty Images

Hundreds of devices on federal networks remain in apparent violation of a recent Binding Operational Directive from the Cybersecurity and Infrastructure Security Agency, according to a new report. 

Hundreds of internet-connected devices found on federal systems remain vulnerable to critical cybersecurity threats, according to new research, despite a recent directive from the nation's cyber defense agency requiring their removal from government networks. 

Researchers with the security firm Censys identified over 13,000 distinct hosts — from routers and firewalls with publicly exposed configurations to VPNs with remote access vulnerabilities — across more than 100 autonomous systems associated with over 50 federal civilian executive branch organizations and sub-organizations. 

The findings come after the Cybersecurity and Infrastructure Security Agency issued a Binding Operational Directive earlier this month requiring all federal civilian agencies to remove certain devices with public-facing management interfaces from internet networks. 

The research reflects an "alarming discovery" across government networks and serves as a reminder "of the importance of self-checks, like scanning and actively enumerating your own network devices," according to Tomer Bar, vice president of security research for the cybersecurity company SafeBreach. 

"Exposed devices with remote management interfaces are one of the most common attacks used by both nation-state and cybercrime threat actors in order to achieve initial access to the target network," Bar said in a statement sent to Nextgov/FCW

The researchers discovered numerous instances in which certain ways of accessing computers remotely were left unprotected on government-related devices, potentially exposing federal networks to major cyber threats. 

The report also found multiple instances of exposed managed file transfer tools like the popular MOVEit solution developed by Progress Software, which was recently exploited by a notorious ransomware gang. 

"This directive didn't just come out of thin air," said Bill Wright, head of governmental affairs for the security firm Elastic. "It has been a persistent issue and comes on the heels of a number of recent cyber incidents where attackers identified and leveraged zero-day vulnerabilities within widespread networking products." 

Wright told Nextgov/FCW that threat actors are increasingly scanning government networks for system vulnerabilities that can be exploited, which has since led "to a call for organizations to enhance their capacity to identify, investigate and remediate cyber threats.

"While not explicit, the directive underscores the need for federal agencies to step up their logging capabilities," he added.

CISA Director Jen Easterly confirmed in a phone call with reporters earlier this month that multiple federal agencies were impacted by the exploit, though she added that her agency was "not tracking a significant impact against the civilian .gov enterprise."

The extent of the impact the MOVEit exploit had against federal networks and sensitive data remains unclear, though Progress Software products are found across a wide array of federal agencies, the military and the Intelligence Community, according to federal contracting records, including the Army, the Centers for Disease Control and the State Department. 

The researchers also discovered more than 150 examples of end-of-life software across federal civilian networks, potentially exposing those systems to emerging cyber threats. The report notes that CISA gave agencies 14 days to take action in compliance with its recent BOD by either securing specified devices under a zero trust framework, or removing the device from the public internet.