The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy released a joint advisory warning for U.S. organizations to secure Internet-connected uninterruptible power supply (UPS) devices from ongoing cyber assaults.
UPS devices are regularly used as emergency power backup solutions in mission-critical environments and are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features also expose them to malicious attacks.
"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.
"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet."
To safeguard against such threats, CISA and DoE are recommending concerned entities ensure all UPS systems are disconnected from the internet. If linking their management interfaces to the Internet is not viable, admins are advised to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and use strong passwords or passphrases in accordance with the National Institute of Standards and Technology guidelines.
Additionally, the advisory includes auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked. U.S. organizations are also urged to execute login timeout/lockout policies to mitigate these ongoing assaults against UPSs and similar systems.
Besides default credentials, malicious actors can also exploit critical security loopholes to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely.
The warnings come three weeks after security firm Armis uncovered multiple high-impact vulnerabilities in APC Smart-UPS devices that could be exploited remotely by unauthenticated attackers without user interaction as a physical weapon. Two of the main vulnerabilities include flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory bug, and the second is a problem with the way SmartConnect’s TLS handshake works.