TLStorm Zero-Day Vulnerability Resources

8 Mar 2022 11:55 AM | Anonymous

Dear RECC Members, 

Today, March 8th, 2022, Armis has announced the discovery of 3 zero-day vulnerabilities found in American Power Conversion (APC) Smart UPS-devices, potentially exposing over 20 million enterprise devices worldwide. Uninterruptible Power Supply (UPS) devices provide emergency backup power for mission-critical assets and these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt, and destroy APC Smart-UPS devices and even attached assets.


Armis researchers disclosed their findings to Schneider Electric, APC’s parent company, on October 31st, 2021 and have been working with them since to create and test a patch.


Why is this research important?


Armis proactively researches various assets to help security leaders protect their organizations against new threats, including those targeting not-so-obvious assets like UPS-devices. We found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. According to Armis data, more than 70% of organizations appear to have assets that are vulnerable to TLStorm.

It’s important to note that Smart UPS-devices are often installed and forgotten, which can have severe implications if exploited by a bad actor since these devices are connected to the same networks as the core business systems.

What are the risks?


Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centers, industrial facilities, hospitals, and more. This makes them a high-value cyber-physical target. Armis researchers were able to remotely control a Smart-UPS device, alter the voltage, and make it literally go up in smoke.

These vulnerabilities can also enable a UPS to act as a gateway from the Internet to the internal network, and attack other devices within the corporate network.


What should customers do to minimize the risk of an attack?


Armis recommends that all organizations:

  • Install the patches made available from Schneider Electric website.
  • Change the Schneider Electric default NMC (Network Management Card) password and install a publicly-signed SSL certificate.
  • Deploy Access Controls Lists (ACLs) and only use encrypted communication.

How can Armis help?


Use the Armis platform to:

  • Quickly discover all Smart-UPS devices that need to be patched or protected from exploit attempts to plan and prioritize mitigation efforts.
  • Detect exploit attempts in real-time and orchestrate responses through integrations with existing IT and security stack.
  • Continue to track the long tail of ‘still to be patched’ assets, and new assets that might be vulnerable.

What resources are available about this?

I have more questions about the research - Who should I contact?

Please contact Adam Vandenberg 

© Copyright 2023 Real Estate Cyber Consortium Inc.™ All Rights Reserved. Real Estate Cyber Consortium (RECC) is a 501(c)6 non-profit organization.  Privacy Policy and Terms of Use.
Powered by Wild Apricot Membership Software