The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) are jointly warning of attacks against internet-connected uninterruptible power supply (UPS) devices by means of default usernames and passwords.
“Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet,” the agencies said in a bulletin published Tuesday.
UPS devices, in addition to offering power backups in mission-critical environments, are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features can also open the door to malicious attacks.
To mitigate such threats, CISA/DoE advise organizations to disconnect all UPS systems and secure them behind a virtual private networks (VPN), as well as implement multi-factor authentication.
The agencies have also urged concerned entities to update the UPS usernames and passwords to ensure that they don’t match the factory default settings. The advisory stated that this ensures that threat actors can’t use your default passwords in order to gain access to your UPS.
These warnings follow three weeks of Armis research that revealed multiple security flaws in APC Smart–UPS devices. They could be used by remote adversaries to gain access and control the device in an unauthorised manner.