The other day, Microsoft shared the unpleasant news, warning that hackers are exploiting a discontinued web server found in common Internet of Things (IoT) devices to target organizations in the energy sector.
In a recently published analysis, Microsoft researchers said they had discovered a vulnerable open-source component in the Boa web server, which is still widely used in many routers and security cameras — as well as popular SDKs despite the software’s retirement in 2005.
The Redmond-based giant identified the component while investigating a suspected Indian electric grid intrusion, where Chinese attackers used IoT devices to gain a foothold on operational technology (OT) networks – which are used to monitor and control physical industrial systems.
Microsoft said it has identified one million internet-exposed Boa server components globally over the span of a one-week period, adding that this poses a “supply chain risk that may affect millions of organizations and devices.”
The company noted that it still sees attackers attempting to exploit Boa flaws, which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833).
“The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” Microsoft said, adding that this can allow the attackers to have a “much greater impact” once the attack is initiated.
The most recent attack observed, according to Microsoft, was the compromise of Tata Power in October. This breach resulted in the Hive ransomware group publishing data stolen from the Indian energy giant, which included employee information, engineering drawings, financial and banking records, client records, and even some private keys.
“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector,” the company said.
The problem, however, is that mitigating these Boa flaws is difficult due to both the continued popularity of the now-defunct web server and the complex nature of how it is built into the IoT device supply chain. Microsoft recommends patching of vulnerable devices where possible, identifying devices with vulnerable components, and configuring detection rules to identify malicious activity.
This isn’t the first time we have seen a major problem with network components. Last year, the zero-day vulnerability Log4Shell was identified in Log4j, which is the open-source Apache logging library. At that time, estimates of potentially affected devices were upwards of three billion. Now, that’s scary…