On April 1, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers were targeting uninterruptable power supply (UPS) devices. Unfortunately, it was not an April Fool’s joke.
But wait, there’s more. Two weeks before that, on March 14, 2022, the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued advisory 2022-035. It detailed three vulnerabilities that were discovered in APC brand UPSs. At the report’s time, MS-ISAC said they were unaware of these vulnerabilities being exploited in the wild. We know that correlation is not causation, but maybe there is a relationship there.
The vulnerabilities were discovered a week earlier (on March 8, 2022) by security research firm Armis Inc. The researchers exploited the vulnerabilities over the network in their lab. They managed to cause the UPS to catch fire in at least one instance. These are pretty severe real-world consequences. Particularly in light of where you might find a UPS. Places like data centers and hospitals, the networking closet at your business, perhaps.
I’m not going to cover the technical details of the vulnerabilities here. There’s plenty of information about that already. The fact is that the technical details don’t matter. They’re interesting to some of us, sure. But it is straightforward to guard against this threat. Very little technical expertise is required.
What Happened
In a nutshell – businesses connected a device with vulnerabilities directly to the internet and left the default login credentials in place. This device is part of their physical infrastructure, their disaster failover plan, and is usually located in sensitive areas. It sounds silly to do when you say it like that.
One important thing to understand is that there are tools available, many of them free, which will scan for APC UPS devices. They aren’t hard to find. So, “hiding” or “security through obscurity” is not a successful strategy. It never is. So, what should be done differently?
In this scenario, there are three main opportunities for improvement. All of them can be addressed with basic cyber security best practices. Internet hygiene, if you will.
- The UPS is connected directly to the internet.
First, just because something can be connected to the internet doesn’t mean it should be connected. Do your UPS devices really need to be remotely accessible? That should be a conscious decision made with enterprise risk in mind. If they don’t need to be accessible remotely, don’t connect them. The issue goes away simply by not plugging in the network cable to the UPS.
Basic security architecture concepts should be followed if they need to be available from outside your network. Their network connections should be in a network demilitarized zone (DMZ). If that device gets compromised, it should not be able to get into your internal protected network. While we’re at it, let’s put it behind a firewall and a VPN. Only specific people would need access to that device. We can control that through VPN access controls. Any networked device needs to have these basic protections in place.
- The UPS contains vulnerabilities.
Many companies have “vulnerability management plans” around ensuring that their servers, workstations, and network devices and applications are patched regularly. Is your physical infrastructure included on that list? Your server’s motherboard firmware, your Integrated Lights Out (ILO) management system? Your “Keyboard, Video, Mouse” (KVM) devices?
The vulnerabilities that Armis discovered, I believe, were so-called zero-day. In other words, they had not been previously found. At least not as far as we know. The bad guys usually don’t share the vulnerabilities they discover. But look at the timeline. It was a scant three weeks between the publication of the vulnerabilities and the announcement by CISA that they were detecting attackers targeting internet-connected UPS devices. That’s less than one “patch cycle.”
When the vulnerabilities were announced, the article stated that the vendor had patches available for them. But the problem is that companies don’t apply patches as quickly as they should. Sometimes their processes (or lack thereof) get in the way. That’s another topic for another day. The takeaway is that patches were available the day the vulnerabilities were announced. Within three weeks of the announcement, UPS devices were being actively exploited in the wild. Could your company have responded quickly enough? If not, having the network controls detailed in #1 above would have bought you some time.
- UPS continued to use default login credentials.
This one pretty much speaks for itself. Some devices come preconfigured with a default username and password. This account is usually an Administrator-level account that allows you to go into the application and create your accounts and access levels. It’s essential to note that if the default user is compromised, the attacker owns the device and can add or remove any or all other accounts. Particularly if a device is connected to the internet, it is critical to at least change the default password. One step better is to disable or delete the account once you’ve created an Administrator account for yourself.
Northstarr Recommendations
Any network-connected device is vulnerable to the same kinds of attacks as your workstations and servers. The same basic rules apply, whether a network device, a printer, or an Uninterruptible Power Supply. Protect it with layers of security, patch it appropriately, and follow basic security best practices, like not leaving the default account credentials active on the system. The internet is a fantastic place, but it can also be risky, maybe even dangerous. Be careful out there.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!