Microsoft has warned that malicious hackers are exploiting an abandoned web server found in common Internet of Things (IoT) devices to target organizations in the energy sector.
In an analysis released Tuesday, Microsoft researchers said they discovered a vulnerable open-source component in the Boa web server, which is still widely used in a range of routers and security cameras, as well as software development kits ( popular SDKs. despite the software being retired in 2005. The tech giant identified the component during an investigation into an alleged intrusion into India’s power grid, first detailed by Recorded Future in April, where attackers sponsored by the Chinese state have used IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.
Microsoft said it identified one million Internet-exposed Boa server components globally over a one-week period, warning that the vulnerable component poses a “supply chain risk that could affect millions of organizations and of devices”.
The company added that it continues to see attackers attempt to exploit flaws in Boa, including a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw ( CVE-2017-9833).
“The known [vulnerabilities] impacting these components may allow an attacker to gather information about network assets before launching attacks and gain access to a network undetected by obtaining valid credentials,” Microsoft said, adding that this may allow attackers to have a “much greater impact” once the attack is triggered.
Microsoft said the most recent attack observed was the Tata Power compromise in October. This breach led ransomware group Hive to release data stolen from the Indian energy giant, which included sensitive employee information, technical drawings, financial and banking records, customer records and some private keys.
“Microsoft continues to see attackers attempt to exploit Boa vulnerabilities beyond the published report period, indicating that it is still being targeted as an attack vector,” Microsoft said.
The company warned that mitigating these Boa flaws was difficult due to both the continued popularity of the now-defunct web server and the complex nature of integrating it into the IoT device supply chain. Microsoft recommends that organizations and network operators remediate vulnerable devices whenever possible, identify devices with vulnerable components, and configure detection rules to identify malicious activity.
Microsoft’s warning again highlights the risk to the supply chain posed by flaws in widely used network components. Log4Shell, a zero-day vulnerability identified last year in Log4j, Apache’s open-source logging library, is estimated to have potentially affected more than three billion devices.