Hackers breach energy orgs via bugs in discontinued web server

Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector.

As cybersecurity company Recorded Future revealed in a report published in April, state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.

The attackers gained access to the internal networks of the hacked entities via Internet-exposed cameras on their networks as command-and-control servers.

"In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.

"To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy"

Attacks linked to Boa web server flaws

While Recorded Future didn't expand on the attack vector, Microsoft said today that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2005 that's still being used by IoT devices (from routers to cameras).

Boa being one of the components used for signing in and accessing the management consoles of IoT devices, significantly increases the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server.

The Microsoft Security Threat Intelligence team said today that Boa servers are pervasive across IoT devices mainly because of the web server's inclusion in popular software development kits (SDKs).

According to Microsoft Defender Threat Intelligence platform data, more than 1 million internet-exposed Boa server components were detected online worldwide within a single week.

​"Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558)," Microsoft researchers said.

"Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector."

Attackers can exploit these security flaws without requiring authentication to execute code remotely after stealing credentials by accessing files with sensitive information on the targeted server.

Tata Power breached using Boa web server vulnerabilities

In one of the most recent attacks abusing these vulnerabilities observed by Microsoft, Hive ransomware hacked India's largest integrated power company, Tata Power, last month.

"The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022," Redmond said.

"Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa."

Tata Power disclosed a cyber attack on its "IT infrastructure impacting some of its IT systems" in a stock filing on October 14th without sharing additional details regarding the threat actors behind the incident.

The Hive ransomware gang later posted data they claimed to have stolen from Tata Power's networks, indicating the ransom negotiations failed.