The US Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to stop providing software and hardware with default passwords to eliminate risks that could be exploited by malicious actors to gain initial access to and move laterally within organizations.
“This SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation” by taking “ownership of customer security outcomes” and building “organizational structure and leadership to achieve these goals,” CISA said.
“By implementing these two principles in their design, development, and delivery processes, software manufacturers will prevent exploitation of static default passwords in their customers' systems. Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations,” the agency added.
CISA has urged manufacturers to “publish their own secure by design roadmap to demonstrate that they are not simply implementing tactical controls but are strategically rethinking their responsibility in keeping customers safe.”
Earlier this month, CISA and Israeli authorities revealed that an Iran-backed hacker group known as Cyber Av3ngers affiliated with the Islamic Revolutionary Guard Corps breached multiple US-based WWS (Water and Wastewater Systems) facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords (1111).
