Microsoft announced that security flaws discovered in decommissioned Boa web server software have been abused to attack power grid operators.
According to a report published by security firm Recorded Future in April, state-backed Chinese hacking groups targeted several Indian power grid operators, adversely affecting the national Indian system for emergency response and the subsidiary of a major logistics company.
The attackers most likely accessed targets’ internal networks using Internet-exposed DVR/IP camera equipment as command-and-control (C2) servers. The Shadowpad malware variant and open-source application FastReverseProxy were found to be used during the attacks, according to the report.
While Recorded Future did not elaborate on the attack vector, Microsoft recently stated that the attackers exploited a flaw in Boa web server, a software solution that has been retired since 2015 but is still utilized by IoT devices such as routers and cameras.
Because Boa is one of the components used for logging into IoT device management panels, it significantly increases the risk of critical infrastructure being accessed via susceptible, Internet-exposed devices running the vulnerable web server software.
Boa servers are highly active
According to the Microsoft Security Threat Intelligence team, Boa servers are widespread throughout IoT devices, owing to the web server’s inclusion in popular software development kits (SDKs). Microsoft’s data suggests that up to one million internet-exposed Boa server components are active.
Boa servers have several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and data leakage (CVE-2021-33558). Some Boa servers expose sensitive credentials. Attackers can exploit these security holes without authentication to execute malware remotely on other systems.