Software vulnerabilities discovered on platforms that have been out of production for nearly two decades have been used to compromise many public and private entities in India, according to a new Microsoft report.
The company targeted India’s electricity grid operators, a national emergency response system and a subsidiary of an international logistics company, exploiting vulnerabilities found in the Boa network (opens in a new tab) server.
The victims were previously identified in an April report by cybersecurity firm Recorded Future.
Included in the SDKs
Boa is a small open source web server suitable for embedded applications. Despite not being supported or updated for years, companies still use it to manage their IoT devices, and in this case it was used to manage Internet-connected DVR/IP cameras. Boa was discontinued in 2005. Exploiting the vulnerabilities to gain access to the cameras, the attackers identified as RedEcho installed the Shadowpad malware on the targeted endpoints and in some cases dropped in the FastReverseProxy open source tool to be sure.
Microsoft said that Boa servers can still be found because many developers include them in their software development kits (SDKs). In fact, data from the Microsoft Defender Threat Intelligence platform indicates that there are over a million Boa server components exposed to the Internet.
“Boa servers are affected by several known vulnerabilities, including Arbitrary File Access (CVE-2017-9833) and Information Disclosure (CVE-2021-33558),” the researchers said. “Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframes published in the report, indicating this is still an attack vector.”
Threat actors could exploit these vulnerabilities to remotely execute arbitrary code without requiring authentication on the target devices.
The last time someone was seen exploiting these vulnerabilities was last month when the Hive ransomware group attacked Tata Power, India’s largest integrated energy company.
“The attack described in the Recorded Future report was one of several attempts to break into India’s critical infrastructure since 2020, with the last attack on IT assets confirmed in October 2022,” confirmed Microsoft.
“Microsoft estimates that Boa (opens in a new tab) were operating on IP addresses on the IOC list published by Recorded Future at the time of the report, and that the exposed IoT devices from Boa were targeted by the electrical network attack.”
Tata Power was said to have failed to pay the ransom note.
By: Beeping Computer (opens in a new tab)