Jump to content
  • Hackers breach energy orgs via bugs in discontinued web server

    alf9872000

    • 403 views
    • 3 minutes
     Share


    • 403 views
    • 3 minutes

    Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector.

     

    As cybersecurity company Recorded Future revealed in a report published in April, state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.

     

    The attackers gained access to the internal networks of the hacked entities via Internet-exposed cameras on their networks as command-and-control servers.

     

    "In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.

     

    "To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy"

    Attacks linked to Boa web server flaws

    While Recorded Future didn't expand on the attack vector, Microsoft said today that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2015 that's still being used by IoT devices (from routers to cameras).

     

    Boa being one of the components used for signing in and accessing the management consoles of IoT devices, significantly increases the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server.

     

    The Microsoft Security Threat Intelligence team said today that Boa servers are pervasive across IoT devices mainly because of the web server's inclusion in popular software development kits (SDKs).

     

    According to Microsoft Defender Threat Intelligence platform data, more than 1 million internet-exposed Boa server components were detected online worldwide within a single week.

     

    Exposed%20Boa%20servers%20worldwide%20(M

    Exposed Boa servers worldwide (Microsoft)

     

    "Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558)," the Microsoft Security Threat Intelligence team said.

     

    "Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector."

     

    Attackers can exploit these security flaws without requiring authentication to execute code remotely after stealing credentials by accessing files with sensitive information on the targeted server.

    Tata Power breached using Boa web server vulnerabilities

    In one of the most recent attacks abusing these vulnerabilities observed by Microsoft, Hive ransomware hacked India's largest integrated power company, Tata Power, last month.

     

    "The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022," Redmond said.

     

    "Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa."

     

    Tata Power disclosed a cyber attack on its "IT infrastructure impacting some of its IT systems" in a stock filing on October 14th without sharing additional details regarding the threat actors behind the incident.

     

    The Hive ransomware gang later posted data they claimed to have stolen from Tata Power's networks, indicating the ransom negotiations failed.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...