Microsoft warns hackers are abusing a defunct web server in IoT devices to target energy companies.
Microsoft researchers found a vulnerable open-source component in the Boa web server, which is still widely used in routers, security cameras, and software development kits (SDKs) despite being retired in 2005. The technology giant identified the component while investigating a suspected Indian electric grid intrusion. Chinese state-sponsored attackers used IoT devices to gain a foothold on operational technology (OT) networks, which monitor and control physical industrial systems.
Microsoft found one million internet-exposed Boa server components globally in a week, warning that the susceptible component poses a “supply chain vulnerability that may affect millions of companies and devices.”
The company said attackers are still exploiting Boa flaws, including a high-severity information disclosure bug (CVE-2021-33558) and an arbitrary file access flaw (CVE-2017-9833).
“The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks and to gain undetected network access by obtaining valid credentials,” Microsoft said. This can allow the attackers to have a “much greater impact” once the attack is initiated.
Tata Power was compromised in October, Microsoft said. The Hive ransomware group published sensitive employee information, engineering drawings, financial and banking records, client records, and some private keys.
“Microsoft continues to see attackers exploiting Boa vulnerabilities beyond the report’s timeframe,” the company said.
The company warns that mitigating these Boa flaws is difficult due to the web server’s popularity and how it’s built into IoT devices. Microsoft recommends that network operators patch vulnerable devices, identify devices with vulnerable components, and configure detection rules to identify malicious activity.
Microsoft’s warning highlights the supply chain risk posed by network flaws. Log4Shell, a zero-day vulnerability in the Apache logging library Log4j, could have affected 3 billion devices.