Microsoft has warned that malicious hackers are exploiting a defunct web server found in public Internet of Things (IoT) devices to target organizations in the energy sector.
In analysis published on Tuesday, Microsoft researchers said they discovered an open-source vulnerable component in the Boa web server, which is still widely used in a number of routers and security cameras, as well as popular software development kits (SDKs), despite the software being withdrawn in 2005 The tech giant identified the component while first investigating a suspected intrusion into India’s power grid in detail from Recorded Future in April, where Chinese state-sponsored attackers used IoT devices to latch onto operational technology (OT) networks used to monitor and control physical industrial systems.
Microsoft said it had identified one million Boa server components exposed to the Internet globally over a one-week period, warning that the vulnerable component posed a “supply chain risk that could affect millions of organizations and devices.”
The company added that it continues to see attackers trying to exploit Boa’s flaws, which include high severity disclosure error (CVE-2021-33558) and another flaw in random file access (CVE-2017-9833).
“The known [vulnerabilities] impacting such components could allow an attacker to gather information about network assets before launching attacks and gain undetected network access by obtaining valid credentials,” Microsoft said, adding that it could allow attackers to have “much greater impact” once the attack is initiated.
Microsoft said the latest attack it observed was Tata Power compromise in October. This violation led to Hive ransomware group releases data stolen from Indian energy giantwhich included sensitive employee information, engineering drawings, financial and banking records, customer records and some private keys.
“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the time frame of the published report, indicating that it is still being targeted as an attack vector,” Microsoft said.
The company cautioned that mitigating these Boa flaws is difficult due to both the continued popularity of the now-defunct web server and the complex nature of how it’s embedded in the IoT device supply chain. Microsoft recommends that organizations and network operators patch vulnerable devices where possible, identify devices with vulnerable components, and configure detection rules to identify malicious activity.
Microsoft’s warning again highlights the supply chain risk posed by flaws in widely used networking components. Log4ShellA zero-day vulnerability that was identified last year in Log4j, Apache’s open source logging library, is estimated to have potentially affected over three billion devices.