APC Smart-UPS Zero-day Puts Millions of Devices at Risk

Photograph of an APC Smart-UPS

Three critical vulnerabilities dubbed TLStorm affecting APC Smart-UPS devices allow cybercriminals to conduct extreme cyber-physical attacks on millions of enterprise devices, a report published yesterday by Armis threat intelligence said.

The vulnerabilities affect APC’s widely used uninterruptible power supply (UPS) devices that provide emergency power for critical infrastructures such as industrial facilities, hospitals, and data centers around the world.

8 Out of 10 Companies at Risk

8 out of 10 companies could be exposed to the TLStorm zero-day vulnerabilities, and attackers can remotely take over the cloud-controlled APC Smart-UPS devices over the internet “without any user interaction or signs of attack,” Armis stated. The former is known as a ZeroClick attack.

With over 20 million APC devices sold worldwide, the vulnerabilities can lead to “extreme attacks targeting both physical devices and IT assets,” simultaneously allowing cybercriminals to completely take over Smart-UPS devices via the internet, Armis said.

Internet-enabled “smart” UPS devices regulate high voltage power in critical industries, thus making them “a high value cyber-physical target,” Armis emphasized. Cybercriminals can now remotely heat up and blow up such devices.

“This is no longer a fictional attack [like in television series],” Armis said.

How the Attack Works

Attackers can launch a remote code execution (RCE) attack on a target device which could “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.

The fact that the latest APC Smart-UPS devices are controlled via a cloud connection also gives cybercriminals additional vulnerable entry points.

Two of the critical vulnerabilities involve the TLS cloud connection between the APC UPS and the Schneider Electric cloud — APC being a subsidiary of Schneider Electric. Specifically, the SmartConnect feature that automatically establishes a TLS connection “upon startup or whenever cloud connections are temporarily lost” can be compromised.

Furthermore, a third critical vulnerability includes improperly signed and validated Smart-UPS firmware upgrades. This means that malicious firmware can be crafted by an attacker and installed on various paths, compromising an entire network “from which additional attacks can be carried,” Armis stated.

“Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs” Armis said. APTs (Advanced Persistent Threats) are high-tier cybercriminal threat groups.

Affected Devices

The APC devices at risk from the TLStorm security issues are as follows:

  • SmartConnect Family SMT, SMC, SMTL, SCL, and SMX Series
  • Smart-UPS Family SMT, SMC, SCL, SMX, and SRT Series

As stated earlier, these devices are affected by both the cryptographic firmware signing vulnerability and the improper TLS implementation SmartConnect issue.

As far as software development is concerned, the infamous Log4Shell incident also had a hand in this case. Developers “unknowingly inherited a remote code execution vulnerability,” Armis added.

Patch Information

Upon disclosing the critical security issues to Schneider Electric at the end of October last year, Armis has contributed to creating a “generally available” patch. The patches can be found on the official Schneider Electric website.

Even so, attacks that target cyber-physical systems are on the rise, Armis wrote. Evidence of such attacks is visible now in the ongoing hybrid war between Ukraine and Russia. The Ukrainian power grid attack in 2015 attributed to Russia-backed APTs is yet another example of this, as are last year’s Iran-based cyberattacks.

“The increasing adoption of IoT and CPS devices has created a wealth of new targets for bad actors,” Armis added.

Security Recommendations

The following are security recommendations from Armis that can minimize the risk of an attack:

  1. Install the patches available on the Schneider Electric website.
  2. If you are using the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.
  3. Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.

APC customers should also contact experts at Armis to discuss this particular issue and acquire case-specific cybersecurity recommendations.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.