Power Companies Hacked Through Abandoned Server Flaws

Power Companies Hacked Through Abandoned Server Flaws

Software vulnerabilities found in platforms that have been abandoned for nearly two decades have been used to compromise various public and private entities in India, according to a new report from Microsoft.

The company discovered that power grid operators in India, a national emergency response system and the subsidiary of a multinational logistics company were all targeted, using flaws found in the Boa web server (opens in a new pestaña).

The victims had previously been identified in an April report, published by cybersecurity firm Recorded Future.

Included in the SDKs

Boa is a small footprint open source web server suitable for embedded applications. Despite not having support or updates for years, companies still use it to manage their IoT devices, and in this case, it was used to manage Internet-facing DVR/IP cameras. Boa was discontinued in 2005. Using the flaws to gain access to the cameras, attackers identified as RedEcho installed Shadowpad malware on target endpoints, and in some cases added the open source FastReverseProxy tool, for good measure.

Microsoft said Boa servers are still available because many developers include them in their software development kits (SDKs). In fact, data from the Microsoft Defender Threat Intelligence Platform indicates that there are over a million Boa server components exposed to the Internet.

"Boa's servers are affected by several known vulnerabilities, including Arbitrary File Access (CVE-2017-9833) and Information Disclosure (CVE-2021-33558)," the researchers said. "Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the published reporting period, indicating that it is still being targeted as an attack vector."

Hackers can take advantage of these flaws to execute any code, remotely, without requiring authentication on the target devices.

The last time anyone was seen taking advantage of these vulnerabilities was last month, when the Hive ransomware group attacked Tata Power, India's largest integrated power company.

"The attack detailed in the Recorded Future report was one of many attempted intrusions into critical Indian infrastructure since 2020, with the latest attack on IT assets confirmed in October 2022," Microsoft confirmed.

"Microsoft assesses that the Boa servers (opens in a new tab) were running on IP addresses on the IOC list published by Recorded Future at the time of the report's publication and that the power grid attack targeted exposed IoT devices who execute Boa".

Tata Power was said to have failed to pay the ransom demand.

Via: BleepingComputer (Opens in a new tab)