TLStorm… Next Cyclops Blink?

Government, Healthcare, Industry, and IT at Risk For ZeroClick Attacks

March 9, 2022 – Armis, the leading asset visibility and security platform, announced today that it has uncovered three associated critical APC Smart-UPS device vulnerabilities.  Designated as TLStorm, these vulnerabilities could allow cyber criminals to remotely access UPS (Uninterrupted Power Supply) devices that provide emergency backup power for mission-critical assets including server rooms, medical facilities, and OT/ITS environments.  Most at risk are Government, Healthcare, Industry, IT, and Retail.

APC is a subsidiary of Schneider Electric and one of the leading vendors of UPS devices, having sold over 20 million worldwide.  APC Smart-UPS models are controlled via the Schneider Electric Management Cloud through which, exploiting these vulnerabilities, attackers could remotely access devices without any signs of penetration.  Performing an RCE (Remote-Code Execution) attack on a vulnerable device, operations of the UPS could be altered to physically damage either the device itself or assets connected to it.

Of the three vulnerabilities, Armis states that “two can be triggered via unauthenticated network patches without any user interaction whatsoever”, also known as a ZeroClick attack, allowing TLS authentication to be bypassed between the UPS and the Schneider Electric Management Cloud.  The third vulnerability, a firmware design flaw, correlates to unsigned firmware updates allowing an attacker access to communicate with a device as if it were a genuine Schneider Electric server.  Using this combination of vulnerabilities, cyber criminals could install malicious firmware to establish a long-lasting stronghold on connected devices through which they could carry out supplementary attacks, much like the recent Cyclops Blink.

To date, there is no indication that these vulnerabilities have been pressed into action.  Schneider Electric, working jointly with Armis, has issued patches to mitigate affected devices.  Organizations utilizing APC Smart-UPS devices should take immediate action.  

Armis recommends securing devices by:

  1. Installing the patches available on the Schneider Electric website.

  2. If using the NMC, change the default NMC password (“apc”) and install a publicly signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.

  3. Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.

For assistance in addressing these vulnerabilities, contact JSCM Group today at JSCMGroup.com or 888.897.9680.