The United States Cybersecurity and Infrastructure Security Agency (CISA) is exhorting the producers a eliminate completely default passwords on systems exposed to the Internetciting serious risks that could be exploited by malicious actors to gain initial access and move laterally within organizations.

However, it should be noted that the use of fairly standard passwords it is a fairly common act, although highly discouraged in the IT sector.

Because CISA urges you not to use default passwords

In an advisory published last week, the agency cited Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) to exploit operational technology devices with default passwords to gain access to critical infrastructure systems in the United States.

For “default passwords” refers to the factory default configurations for embedded systemsdevices and equipment that are typically publicly documented and identical across all systems within a vendor's product line.

As a result, various cybercriminals around the world might look for Internet-exposed endpoints using tools like Shodan and try to crack them through default passwordsoften gaining root or administrative privileges for perform post-exploitation actions depending on the type of system.

“Equipment that comes with a preset username and password combination pose a serious threat to organizations that do not modify it after installationas they are easy targets for an adversary“, says MITER.

Earlier this month, CISA revealed cybercriminals affiliated with the IRGC using the Cyber ​​Av3ngers persona are actively targeting and compromising Israeli Unitronics' Vision series programmable logic controllers who are publicly exposed to the Internet through the use of default passwords (“1111”).

“In these attacks, the default password was widely known and advertised on open forums where threat actors are known to seek information they can use to breach US systems,” the agency added.

As preventive measures, producers are invited to follow the secure design principles and to provide unique setup passwords with the productor disable such passwords after a predefined period of time and require users to enable multi-factor authentication methods (MFA) resistant to phishing.

The agency also advised vendors to conduct field tests to determine how customers are implementing the products in their environments and whether they involve the use of insecure mechanisms.

“Analysis of these field tests will help bridge the gap between developer expectations and the actual use of the product by the customer“CISA said in its guidelines.

The disclosure comes as Israel's National Cyber ​​Security Directorate (INCD) has attributed to a Lebanese cybercriminal with links to the Iranian Ministry of Intelligence responsibility for orchestrating targeted cyber attacks on critical infrastructure in the country during its ongoing war with Hamas from 2023.

Attacks, which involve the exploitation of known security vulnerabilities (e.g. CVE-2018-13379) to obtain sensitive information and distribute destructive malwarehave been linked to an attack group called Plaid Rain (formerly Polonium).

The development also follows the publication of a new notice by CISA that outlines security countermeasures for healthcare and critical infrastructure entities to harden their networks against possible malicious activity and reduce the likelihood of domain compromise and enforce the use of strong passwords and phishing-resistant MFA;

Make sure that only doors, protocols and services with valid business needs are running on each system;

Configure service accounts with permissions only necessary for the services they manage;

Change all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems;

Stop reusing or sharing administrative credentials between user/administrator accounts ;

; Enforce consistent management of updates ;

; Implement controls of network ;

; Evaluate the use of unsupported hardware and software e discontinue use if possible ;

; Encrypt personally identifiable information (PII) and other sensitive data.

Additionally, the US National Security Agency (NSA), the Office of the Director of National Intelligence (ODNI), and CISA have published a list of best practices that organizations can adopt to consolidate the software side and improve the security of their open source software management processes.

“Organizations that do not follow a consistent and safe management practice for the open source software they use they are more prone to becoming vulnerable to known exploits in open source packages and experience greater difficulty responding to an incident“, has declared Aeva Black, open source software security manager at CISA.