Flaws from a web server discontinued since 2005 have been used to attack organizations from the energy sector.
State-backed Chinese hacking groups have used the Boa web server to target several Indian electrical grid operators, compromising an Indian national emergency response system and a logistics company subsidiary.
Boa Web Server Vulnerabilities
Hackers breached the targeted networks through Internet-exposed cameras on their networks as command-and-control servers. They used a vulnerability in the web server, a software solution that, even if it was discontinued in 2015, is still used by IoT devices (from routers to cameras).
“The group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy,” Recorded Future said, via Bleeping Computers.
Boa is one of the components used for signing in and accessing the management consoles of IoT devices. This raises the breaching risk of critical infrastructure by leveraging vulnerable and Internet-exposed devices.
In a single week, more than 1 million internet-exposed Boa server components were detected.
The software solution is affected by multiple flaws, among them arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). Hackers can use these flaws with no authentication “to execute code remotely after stealing credentials by accessing files with sensitive information on the targeted server,” according to Bleeping Computers.
The Tata Power Breach
One of the cyberattacks using the web server’s vulnerabilities is the Tata Power breach. The incident happened in October 2022, and it involved Hive ransomware.
Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa.
India’s largest integrated power company refused to pay the ransom, so the hackers posted online the data they exfiltrated.