Attacks and Vulnerabilities
Critical infrastructure
News
Reports
Threat Landscape
Vendors
Vulnerabilities

TLStorm vulnerabilities detected in APC Smart-UPS devices used across data centers, industrial facilities, hospitals

March 11, 2022
TLStorm vulnerabilities detected in APC Smart-UPS devices used across data centers, industrial facilities, hospitals

Armis researchers have discovered a set of three critical vulnerabilities in APC Smart-UPS devices, dubbed TLStorm. If exploited, these vulnerabilities can allow attackers to remotely manipulate the power of millions of enterprise devices, take over Smart-UPS devices, and potentially carry out extreme cyber-physical attacks across critical installations, including server rooms, medical facilities, OT/ICS environments, and residences.

The APC Smart-UPS models are controlled through a cloud connection, the researchers wrote in a company blog post. “Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it,” it added.

The researchers said that the TLStorm set of discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices, and a third critical vulnerability consisting of a design flaw, in which firmware upgrades of all Smart-UPS devices are not properly signed and validated. 

Armis said that two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost. These vulnerabilities can be triggered via unauthenticated network packets without any user interaction. SmartConnect is a dedicated Ethernet port through which the device will connect to the cloud service and allow remote management of the device and automatically connects devices to the Schneider Electric management cloud, it added.

The design flaw vulnerability is one in which the firmware updates on affected devices are not cryptographically signed in a secure manner, the researchers said. “This means an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” they added. 

Armis pointed out that adversaries have targeted the power grid and the apparatus of appliances within it have taken place in the past, with the most famous one being the Ukraine Power Grid attack that occurred in 2015. At the time, UPS devices and many other types of devices were remotely hacked which led to wide-scale power outages, it added. 

The uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets, and are typically deployed across data centers, industrial facilities, hospitals and other installations. These devices provide emergency backup power for mission-critical assets. In cases where a power disruption could lead to injuries, business downtime, or data loss, UPS devices help ensure high availability of critical technology across medical facilities, OT/ICS environments, server rooms, and residences.

“Recent events in the Russia-Ukraine conflict have raised concerns by US officials that the US power grid would be targeted by Russia via cyber attacks. The discovery of TLStorm vulnerabilities underlines the volatility of devices within enterprise environments responsible for power reliability, and stresses the need to act and protect such devices against malicious attacks,” it added.

Armis researchers were able to exploit some key design flaws to fabricate malicious firmware that was accepted by the Smart-UPS as official valid firmware. The flaws they breached included all firmware for Smart-UPS devices of the same model that use the same encryption key, symmetrical encryption where the same key is used for encryption and decryption and the key can be extracted from a physical device, and no signing mechanism exists.

The combination of these flaws allows an attacker to ‘upgrade’ Smart-UPS devices over the network with customized and malicious firmware, the researchers said.

The firmware upgrade process depends on the specific model of the UPS device, including the latest Smart-UPS devices featuring the SmartConnect cloud connection functionality that can be upgraded from the cloud management console over the Internet, older Smart-UPS devices which use the Network Management Card (NMC) can be updated over the local network, and most Smart-UPS devices can also be upgraded using a USB drive, they added.

The Armis research shows that UPS devices, like many other digital infrastructure appliances, cannot be merely installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications.

“It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain ‘unseen’ and therefore expose the organization to significant risk,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
Sygnia
Sygnia aligns with NVIDIA, revolutionizes OT security for energy and industrial sectors
Armexa adds John Cusimano as vice president to its leadership team
Armexa, ISA partner to offer standards-based OT cybersecurity training
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Insane Cyber
Insane Cyber closes $4.2 million funding round to safeguard critical infrastructure installations
Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience