The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a strong recommendation urging manufacturers to eliminate default passwords on systems exposed to the internet. The agency emphasizes that these types of passwords present significant risks, allowing malicious actors to gain unauthorized access and traverse networks within organizations.
In a recent alert, CISA spotlighted the activities of Iranian threat actors associated with the Islamic Revolutionary Guard Corps (IRGC). These actors have reportedly exploited operational technology devices that retained their factory-set passwords, compromising critical infrastructure systems in the United States. Default passwords are typically standardized across a vendor’s product line, making them well-known and publicly accessible, which facilitates easier targeting for cybercriminals.
Threat actors utilize tools such as Shodan to identify internet-exposed devices, attempting to breach them with default credentials. Gaining access through these means often allows adversaries to achieve root or administrative privileges, thereby enabling them to perform post-exploitation actions that could lead to larger breaches within an organization. As noted by MITRE, systems with preset usernames and passwords pose substantial threats, especially when organizations do not change these credentials after installation.
CISA’s recent insights highlight a notable case where IRGC-affiliated cyber actors, operating under the name Cyber Av3ngers, have targeted Israeli-manufactured Unitronics Vision Series programmable logic controllers (PLCs). These devices, left exposed to the internet and protected merely by a commonly known default password, represent a significant vulnerability. The agency remarked that the exploitation of publicly documented passwords has been prevalent in forums where threat actors gather intelligence relevant to breaching U.S. systems.
To mitigate these risks, CISA has called on manufacturers to adopt secure-by-design principles. Companies should provide unique initial passwords with their devices and consider disabling default passwords after a set period. Additionally, the agency advocates for the implementation of multi-factor authentication (MFA) mechanisms that are resistant to phishing attacks.
CISA further encourages manufacturers to perform field tests to gain a clearer understanding of how their products are used in real-world environments. Such analyses can identify potential shortcomings in the design and deployment of these systems, ensuring that security measures align with actual usage.
The urgency of addressing these issues is heightened by recent developments attributed to a Lebanese hacker group linked to the Iranian Ministry of Intelligence. This group has been involved in cyber operations against critical infrastructure in Israel amid escalating tensions resulting from the ongoing conflict with Hamas. Their tactics have included exploiting known vulnerabilities in software to extract sensitive information and deploy harmful malware.
In light of these developments, CISA has also released an advisory outlining best practices for healthcare and critical infrastructure sectors to strengthen defenses against possible cyberattacks. The advisory emphasizes the importance of robust password policies, rigorous patch management, and the discontinuation of sharing administrative credentials among user accounts.
Additionally, government agencies including the NSA and the Office of the Director of National Intelligence have released guidance recommending that companies enhance the security of their open-source software management processes. Those that fail to implement consistent security practices are likely to become targets for threat actors exploiting known vulnerabilities.
Recognizing and addressing potential cybersecurity vulnerabilities, particularly those related to default passwords, remains a crucial priority for organizations in today’s threat landscape.
