Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyble researchers revealed multiple vulnerabilities in CyberPower PowerPanel Business Software, raising concerns about critical infrastructure security. These vulnerabilities pose a significant risk to these critical systems, potentially exploited by malicious actors. Last week, the U.S. CISA issued an ICS (industrial control systems) advisory warning about hacktivist groups targeting internet-exposed ICS, underscoring the urgency surrounding the recent PowerPanel vulnerabilities.
“UPS management software such as PowerPanel is designed to provide advanced power management for Uninterrupted Power Supply, Power Distribution Unit, or Automatic Transfer Switch,” Cyble researchers detailed in a Wednesday blog post. “PowerPanel UPS management software features real-time monitoring, remote management, event logging, automatic shutdown, scheduled maintenance, alarm notifications, energy management, multi-device support, user access control, and integration capabilities. These features enable organizations to efficiently monitor, control, and manage their UPS systems, ensuring continuous power availability, minimizing downtime, and optimizing energy usage.”
The exploitation of the vulnerabilities in the vulnerable PowerPanel software could allow an attacker to potentially bypass authentication and obtain administrator privileges, which could be utilized for writing arbitrary files to the server for code execution, gaining access to sensitive information, impersonating any client to sending malicious data and gaining access to the testing or production server.
Cyble identified that if an attacker is able to manipulate UPS management software, the target organization might face severe consequences, including disruption of operations; loss of data; compromised security, and financial losses. “Understanding the impact of a successful cyberattack via vulnerable UPS Management software, CRIL researchers’ investigation led to the discovery of over 600 internet-exposed PowerPanel Business software,” the post added.
CyberPower has released a patch that fixes these vulnerabilities.
Various users employ UPS management software, encompassing data centers, critical manufacturing sectors, healthcare facilities, educational institutions, government agencies, and beyond, to maintain uninterrupted mission-critical operations.
PowerPanel Business provides a range of customizable features, including unattended shutdown of connected computers and virtual machines during power events, automated event notifications via email, SMS, and instant messaging, scheduling shutdowns and restarts, event logging for analysis, user-programmable command scripts, and more. Additionally, the software enables remote access and management through a web browser, ensuring seamless system operation.
“CRIL researchers have been closely monitoring hacktivist claims of targeting internet-exposed Industrial Control System (ICS) devices,” the post said. “In past campaigns launched by hacktivist groups such as GhostSec, SigedSec, TeamOneFist, etc. – cyberattacks on UPS systems have emerged as a key vector in such campaigns to cause mass disruptions and gather notoriety from such attacks. Even though the impact of such claims remains questionable, the exposure and direct access of UPS systems to an attacker is a deeply concerning scenario.”
Cyble researchers also pointed to the OpColombia campaign launched by SiegedSec in collaboration with GhostSec and multiple campaigns launched by TeamOneFist in response to the Russia-Ukraine war in 2023 as a few notable incidents in which UPS systems manufactured by Schneider Electric, Powest, and APC were allegedly targeted.
CISA disclosed in its advisory presence of vulnerabilities that include the use of hard-coded passwords, relative path traversal, use of hard-coded credentials, active debug code, storing passwords in a recoverable format, improper neutralization of special elements used in an SQL Command (‘SQL Injection’), use of a hard-coded cryptographic key, and improper authorization. A CVSS v3 of 9.8 had been assigned to these vulnerabilities.
The agency added that exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, and gaining access to services with the privileges of a PowerPanel business application.
They can also enable gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system, and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
Cyble researchers speculate that hackers could soon leverage the critical vulnerabilities disclosed in PowerPanel in upcoming campaigns. “With the potential for exploitation looming, urgent attention to patching and mitigation measures is imperative to preemptively thwart any attempts to exploit these weaknesses. Proactive steps such as monitoring for suspicious activities, implementing network segmentation, and enhancing user awareness can bolster defenses against potential attacks,” they added.
The researchers call upon critical infrastructure asset owners and operators to implement a robust patch management strategy to promptly address software and systems vulnerabilities and ensure that security patches are regularly applied to all devices and applications, prioritizing critical updates to mitigate potential risks effectively. They must also conduct periodic security audits and penetration testing exercises to assess the effectiveness of existing security controls and identify vulnerabilities. Regularly review configurations, policies, and procedures to ensure compliance with security best practices and regulatory requirements.
Furthermore, Cyble urged critical infrastructure organizations to utilize asset management tools and network discovery techniques to maintain an accurate inventory of all devices and applications within the environment and enhance visibility into asset configurations, vulnerabilities, and dependencies to facilitate effective risk management and incident response. They must also implement multi-factor authentication (MFA) for remote access to the OT (operational technology) network, including connections from the IT network and external networks, which is crucial for enhancing security.
Related
