The U.S. government is warning enterprises about ongoing attacks against uninterruptible power supplies (UPS) that are accessible from the Internet, and encouraging defenders to take steps immediately to lock down those devices and to mitigate the potential effects of an attack.
Until relatively recently, UPS devices were mostly offline, kept under desks or in wiring closets, humming away and waiting for the chance to do their jobs during a power outage. But in the last few years, many manufacturers have added Internet connections and other features to their UPS devices to enable remote monitoring and administration. Those features are handy for administrators, but they can also make the devices attractive targets for attackers who see them as convenient footholds in enterprise networks.
“The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords,” a new advisory from CISA and the Department of Energy published Tuesday says.
UPS devices, like many other Internet-connected non-computing devices, often come with factory installed credentials that are meant to be changed by each user after installation. However, not every organization takes the time to do that, and the default credentials often become known publicly, making them valuable tools for attackers. Changing the default credentials is a key first-line mitigation for attacks on UPS devices, as is ensuring that they are only accessible from a VPN. “Check if your UPS’s username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the default. This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS,” the CISA advisory says.
CISA also recommended that enterprises enforce the use of multifactor authentication on any UPS devices connected to the Internet.
The threats to UPS devices are by no means theoretical. Three weeks ago, security firm Armis disclosed three serious vulnerabilities in many of the Internet-connected UPS models manufactured by APC, a subsidiary of Schneider Electric. Two of the bugs are in the TLS implementation in the devices and can allow an attacker to bypass the authentication mechanism.
“An attacker just needs to intercept the TLS connection from the UPS to the APC cloud. On the same network it can be done using arp poisoning, DNS poisoning or any other MITM (Man in the middle) technique. On the internet, DNS cache poisoning is the most common way of initiating these types of attacks. Once the attacker intercepts the connection, executing code over the UPS is trivial using a malicious firmware upgrade,” Barak Hadad, head of research at Armis, said.
CISA is asking organizations that have incidents or odd activity around UPS devices to report them to the agency.