Active attacks may cause critical infrastructure damage, business disruption, lateral movement, and other issues.
Uninterruptible power supply (UPS) equipment, which offer battery backup power during power surges and outages, are being targeted by cybercriminals. The stakes are high when UPS units are employed in mission-critical locations to protect vital infrastructure installations, essential computer systems, and IT equipment.
According to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, malicious individuals are primarily targeting internet-connected UPS versions using default usernames and passwords, though vulnerabilities such as the TLStorm bugs revealed earlier this month are also in the attacker toolbox.
According to a Tuesday advisory from CISA, “in recent years, UPS vendors have incorporated an Internet of Things [IoT] capability, and UPSs are commonly coupled to networks for power monitoring, routine maintenance, and/or convenience” (PDF). “UPS loads can range from tiny (such as a few servers) to large (such as a building) to huge (such as a data centre).”
If attackers are able to gain control of the devices remotely, they can be utilised for a variety of malicious purposes. Bad actors, for example, can use them as a launching pad to break into a company’s internal network and steal data. In a worst-case situation, they might be used to turn off power to mission-critical appliances, equipment, or services, resulting in bodily damage in an industrial setting or a disruption of commercial activities, resulting in large financial losses.
Furthermore, cybercriminals could use remote malware to change the functionality of UPSs or physically damage them (or the devices connected to them).
“It’s easy to forget that any internet-connected device is at risk.”
Tripwire’s vice president of strategy, Tim Erlin, stated in an email that there is a possibility of assault. “Just because a vendor gives you the capacity to connect a device to the internet doesn’t imply it’s secure.” It is the responsibility of each business to guarantee that the systems they install are secure.”
As a result, individuals in charge of UPS maintenance (which CISA indicated might include IT staff, building operations personnel, industrial maintenance workers, or third-party monitoring service vendors) have a simple solution: Count all UPSs and similar systems that are connected and turn them off.
If keeping an active IoT connection is a must, administrators should update the default credentials to a strong user-name-and-password combination – and preferably, multifactor authentication (MFA) as well, according to CISA. Other mitigations, according to CISA, include putting UPSs behind a virtual private network (VPN) and using login timeout/lockout capabilities to make sure the devices aren’t always online and exposed to the outside world.
“Using a default login and password to gain unauthorised access to a system isn’t a novel strategy,” Erlin explained. “If you’re altering the credentials for your UPS systems in response to this advise, make sure that other systems aren’t using default credentials as well.”