We’ve received incident reports of New Zealand servers which have been included in wide-scale scanning/brute force attacks. These attacks performed scans across large IP ranges to identify open ports. Once identified, attackers used dictionaries of default and common credentials to perform brute force attacks.
Below are some steps that you can follow to start identifying and remediating any default credentials in your environment and some tips on making it easier to manage in the future.
Assess the hardware and software used
To understand all the ways a user can authenticate, assess the hardware and software you use. There are a few ways to do this:
- If your organisation has an asset management process, you can review each type of IT asset. This means reviewing the authentication methods for your systems including:
-
routers
-
VOIP phones
-
wireless access points
-
any other network devices.
A configuration management database (CMDB), if you have one, can help identify those IT assets.
2 Scan your internal network to identify what hardware is connected and what software is running. You can scan your network using software discovery and inventory tools, such as software inventory in Windows System Centre Configuration Manager (SCCM), or using vulnerability scanning tools, such as Nessus or OpenVAS.
This step can be time consuming, so prioritise based on risk. Assess internet-facing and business-critical services first. Then check your environment for hardware or software that has known default credentials. For example, you could if products listed on sites like www.defaultpassword.com External Link are currently in your environment.
If you can’t find the credentials for a default account, consider reviewing any authentication logs you may have. This will help you understand if the account was ever accessed and if so, when
Before changing the password, check the authentication logs to see if the account is being used by other services. Changing the password could cause the services to fail and may impact your operations. This should not prevent you from changing it; it just means you may need to make additional changes after the password is changed.
Embed credential management into other processes
Add a check for default credentials in your onboarding processes. The hardware and software you use changes over time. Adding this step to your existing processes reduces the effort you need to put into ongoing management.
New devices may be built off a standard build or there may be a hardening guideline followed to secure it. Make sure this process includes changing the password to any default accounts and storing it to a secure location. If these default accounts are no longer required after initial configuration, make sure this process also includes disabling those accounts.
Monitoring credentials
Over time new devices may miss the on-board process or get factory reset, resulting in default credentials being left in place. For example, if a product comes with default credentials and the product is factory reset, the password could revert to its original, default value. If this happens you’ll need to update the credentials again.
To get additional assurance, consider monitoring default accounts. For example you could configure alerts to trigger every time a default account is accessed. Or you could use a vulnerability scanning tool every couple of months to determine if any default or common passwords are in use.
Managing default credentials is one control to strengthen your network security - there are multiple components of authentication and credential management, and default credentials is just one of them. We explain a few of the other controls, like multi-factor authentication, password standards, and principle of least privilege on other sections of the website.