The US CISA and the Department of Energy issued guidance on mitigating attacks against uninterruptible power supply (UPS) devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy published joint guidance on mitigating cyber attacks against uninterruptible power supply (UPS) devices.
The US agencies warn of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices by exploiting default credentials.
UPS devices provide clean and emergency power in a variety of applications when normal input power sources are interrupted for various reasons.
The guidance recommends organizations immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the case where a UPS device must be accessible online, organizations are recommended to implement the following controls:
Ensure the devices are accessible through a virtual private network.
Enforce multifactor authentication.
Use strong passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936)
CISA recommends checking if organizations’ UPS credentials are still set to the factory default.
The flaws can allow remote attackers to manipulate the power of millions of enterprise devices carrying out extreme cyber-physical attacks.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical systems.
“If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.” reads the analysis published by Armis.
APC has over 20 million devices worldwide, according to the researchers, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities.
Two of the TLStorm vulnerabilities reside in the TLS implementation used by Cloud-connected Smart-UPS devices, while the third one is a design flaw in the firmware upgrade process of Smart-UPS devices.
The researchers discovered that the firmware upgrades are not properly signed and validated.
This third flaw could be exploited by an attacker to achieve persistence by planting a malicious update on vulnerable UPS devices.
Below is the list of the flaws discovered by the experts:
CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).
An attacker can trigger one of the above issues to gain remote code execution on vulnerable devices and interfere with the operation of the UPS to cause physical damage.
“The fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target. In the television series Mr. Robot, bad actors cause an explosion using an APC UPS device.” continues Armis. “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke.”
Experts pointed out that vulnerabilities in the firmware upgrade process are often abused by sophisticated APT groups.
Armis reported the flaws to Schneider Electric’s APC on October 31, 2021, the vendor addressed them with the release of Patch Tuesday security updates on March 8, 2022.
“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.” concludes the report. It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”
