US and UK government agencies this week warned of the risks posed by discontinued edge devices, urging organizations to replace them as soon as possible.
Edge devices include firewalls, IoT, load balancers, network security appliances, routers, switches, wireless access points, and other software and hardware appliances that route network traffic.
Edge devices that have reached end-of-support (EOS) status and no longer receive security updates pose a significant risk to federal networks and enterprise environments, as they are often targeted by state-sponsored threat actors for network access, persistence, and data theft, the US says.
“Nation-state threat actors can exploit these devices as entry points to access modern, supported environments, placing organizations’ data, services, and overall security at serious risk. EOS devices may also cause compatibility issues that disrupt productivity,” CISA, the FBI, and UK’s NCSC note in a fresh alert (PDF).
Organizations are advised to proactively monitor networks for discontinued edge devices and replace them to improve their security posture, the government agencies say.
On Thursday, CISA issued Binding Operational Directive 26-02: Mitigating Risk From End-of-Support Edge Devices, urging federal agencies to act immediately and address the risks posed by edge devices that are no longer maintained.
“CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices. Recent public reports of campaigns targeting certain vendors highlight actors’ attempts to use these devices as a means to pivot into FCEB information system networks,” CISA notes.
These devices, CISA points out, are especially vulnerable to exploits targeting newly disclosed security defects that remain unpatched due to lack of support and expose federal networks to “disproportionate and unacceptable risks”.
Per BOD 26-02, federal agencies are required to immediately update supported edge devices that run EOS software to supported software versions and inventory all devices that are included in CISA’s EOS edge device list within the next three months.
Within a year, federal agencies should decommission identified devices in CISA’s EOS edge device list, as well as all edge devices that are EOS or will become EOS within the succeeding year.
CISA also ordered federal agencies to decommission all identified EOS edge devices within the next 18 months, and within 24 months to establish a process for continuous discovery of edge devices in their networks.
Related: CISA Closes 10 Emergency Directives as Vulnerability Catalog Takes Over
Related: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes
Related: Edge Devices: The New Frontier for Mass Exploitation Attacks
Related: Five Eyes Agencies Release Guidance on Securing Edge Devices
