Hackers have now begun to attack internet-connected universal power supply devices. They are targeting their control interfaces via multiple remote code execution vulnerabilities. In some of the cases, they changed the default usernames and passwords, according to an important advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) just issued on Tuesday.
UPS devices – in the recent years now – have received upgrades and became a part of the internet of things (IoT), according to CISA. This idea was to allow users to control them remotely via the internet. However, like many other internet of things devices, some UPSs have some serious flaws in their security and authentication systems. This allows the attackers to exploit them to gain illicit access to them.
Cybersecurity and Infrastructure Security Agency (CISA)’s major piece of guidance in the advisory is to immediately take inventory of all UPS devices in use at a given organization. Then to disconnect them from the internet completely. If you can disconnect them from it to begin with. In the case that they must remain connected to the internet, the agency is urging that several steps be taken to mitigate possible compromises. This includes placing the vulnerable devices behind a virtual private network, enforcing multifactor authentication, and auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked.
The UPS exploits were first discovered by security firm Armis earlier this month. There are several software vulnerabilities, according to Armis, affect UPS devices made by Schneider Electric-owned APC – a leader in the marketspace for UPS devices. The key vulnerabilities were found in a feature on newer APC devices called SmartConnect. This allows connections to the devices via the network, and lets operators issue firmware updates and monitor and control them via a web portal.
Two of the main vulnerabilities that are being exploited involve flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory issue, and the second is a problem with the way SmartConnect’s TLS handshake works. A third vulnerability stems from a lack of cryptographic signature verification on firmware deployed to the affected devices. All three of these vulnerabilities, the researchers said, can be exploited remotely to upload maliciously crafted firmware, without any user interaction, and compromised UPS devices could be used to simply shut down power to any system to which they’re connected. Other vectors like USB sticks or LAN access could also be used to compromise vulnerable UPS systems, according to the Armis team.
Patches are available for some affected devices, but not all. Like CISA, Schneider Electric has released its own advisory documents, which offer the same advice to disconnect all potentially affected devices from the internet until they can be fully patched.