Energy firms hacked via flaws in discontinued server

Boa web server was discontinued in 2005

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Software vulnerabilities found in platforms that have been discontinued for almost two decades were used to compromise a number of public and private entities in India, a new report fromMicrosoftsays.

The company found electrical grid operators in India, a national emergency response system, and the subsidiary of a multinational logistics company were all targeted, using flaws found in the Boawebserver.

The victims were previously identified in an April report, published by cybersecurity company Recorded Future.

Included in SDKs

Boa is anopen-sourcesmall-footprint web server, suitable for embedded applications. Despite receiving no support, or updates, for years, businesses still use it to manage their IoT devices, and in this case, it was used to manage internet-facing DVR/IP cameras. Boa was discontinued in 2005. Using the flaws to access the cameras, the attackers identified as RedEcho installed Shadowpad malware on target endpoints, and in some cases, threw in the open-source tool FastReverseProxy, for good measure.

Microsoft said Boa servers can still be found because many developers include them in their software development kits (SDK). In fact, the Microsoft Defender Threat Intelligence platform data states there are more than a million internet-exposed Boa server components.

“Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” the researchers said. “Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.”

Threat actors can leverage these flaws to execute any code, remotely, without the need to authenticate on the target devices.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Indian power grid reportedly hit by Chinese cyberattacks>Securing the UK’s critical national infrastructure>These are the best malware removal tools right now

The last time someone was spotted taking advantage of these vulnerabilities was last month, when the Hiveransomwaregroup attacked Tata Power, India’s largest integrated power company.

“The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022,” Microsoft confirmed.

“Microsoft assesses that Boaserverswere running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.”

It was said Tata Power did not pay the ransom demand.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics