Software vulnerabilities found in platforms that have been discontinued for almost two decades were used to compromise a number of public and private entities in India, a new report from Microsoft says.
The company found electrical grid operators in India, a national emergency response system, and the subsidiary of a multinational logistics company were all targeted, using flaws found in the Boa web server.
The victims were previously identified in an April report, published by cybersecurity company Recorded Future.
Included in SDKs
Boa is an open-source small-footprint web server, suitable for embedded applications. Despite receiving no support, or updates, for years, businesses still use it to manage their IoT devices, and in this case, it was used to manage internet-facing DVR/IP cameras. Boa was discontinued in 2005. Using the flaws to access the cameras, the attackers identified as RedEcho installed Shadowpad malware on target endpoints, and in some cases, threw in the open-source tool FastReverseProxy, for good measure.
Microsoft said Boa servers can still be found because many developers include them in their software development kits (SDK). In fact, the Microsoft Defender Threat Intelligence platform data states there are more than a million internet-exposed Boa server components.
“Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” the researchers said. “Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.”
Threat actors can leverage these flaws to execute any code, remotely, without the need to authenticate on the target devices.
The last time someone was spotted taking advantage of these vulnerabilities was last month, when the Hive ransomware group attacked Tata Power, India’s largest integrated power company.
“The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022,” Microsoft confirmed.
“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.”
It was said Tata Power did not pay the ransom demand.
These are the best endpoint protection services right now