Hi All,
CISA just published Secure by Design Alert How Manufacturers Can Protect Customers by Eliminating Default Passwords
Malicious cyber actors continue to exploit default passwords (e.g., "1234," "default," "password") on internet-exposed systems to gain initial access to, and move laterally within, organizations. Threat actors, including Islamic Revolutionary Guard Corps (IRGC)-affiliated actors,0F1 have been successful in compromising critical infrastructure systems in the United States by exploiting operational technology (OT) products sold by manufacturers with passwords set to a static default. CISA is releasing this Alert-based upon recent and ongoing threat activity-to urge every technology manufacturer to eliminate default passwords in the design, release, and update of all products. Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------