Energy firms hacked via flaws in discontinued server
>
Software vulnerabilities found in platforms that have not been used for nearly two decades have been used to compromise a number of public and private entities in India, according to a new report from Microsoft.
The company found power grid operators in India, a national emergency response system and the subsidiary of a multinational logistics company were all targeted, using flaws in the Boa web (opens in new tab) server.
The victims were previously identified in an April report published by cybersecurity firm Recorded Future.
Included in SDKs
Boa is an open-source small web server, suitable for embedded applications. Despite not receiving support or updates for years, companies still use it to manage their IoT devices, and in this case it was used to manage Internet-facing DVR/IP cameras. Boa was discontinued in 2005. The attackers, identified as RedEcho, used the flaws to access the cameras and installed Shadowpad malware on target endpoints, in some cases throwing in the open-source tool FastReverseProxy for good measure.
Microsoft said Boa servers can still be found because many developers include them in their software development kits (SDK). In fact, according to Microsoft Defender Threat Intelligence platform data, there are more than one million Boa server components exposed on the internet.
“Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” the researchers said. “Microsoft continues to see attackers attempting to exploit Boa vulnerabilities outside of the time frame of the released report, indicating it is still the target of an attack vector.”
Threat actors can use these flaws to execute any code remotely, without requiring authentication on the target devices.
The last time anyone exploited these vulnerabilities was last month, when the Hive ransomware group attacked Tata Power, India’s largest integrated energy company.
“The attack described in the Recorded Future report was one of several intrusion attempts against Indian critical infrastructure since 2020, with the most recent attack against IT assets confirmed in October 2022,” Microsoft confirmed.
“Microsoft is reviewing those Boa servers (opens in new tab) ran on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the power grid attack targeted exposed IoT devices running Boa.”
It was said that Tata Power had not paid the ransom demanded.
Through: Beeping computer (opens in new tab)