Posted on November 24, 2022 at 8:58 AM
Tech giant Microsoft has reported that a technology no longer in use since 2005 has been spotted being used by threat actors to launch attacks on energy grids.
According to the company, the threat actors are increasingly gaining access to secure networks through the Internet of Things (IoT) devices before they deploy their payloads.
This comes after the report published by Recorded Future earlier in April this year. According to the report, there was a detailed suspected electrical grid intrusion in India where a common component, known as the Boa Web Server, was found vulnerable.
Microsoft stated that Boa servers have several functionalities, including managing consoles, accessing settings, and signing in screens on devices. But even though they have been since discontinued in 2005, the hackers managed to explore and use them for their hacking campaigns. The Boa flaws give hackers access to networks by collecting data from files.
But the tech giant said it discovered the Indian incident was only one of several other intrusions carried out by hackers to gain unauthorized access to the target’s infrastructure. According to the tech giant, the most recent attack was in October 2022.
The Stolen Data Include Financial Records And Employee Information
Some details received from the hacking incident in the Indian energy showed that the stolen data included client records, financial records, sensitive employee information, as well as private keys and engineering drawings.
The most common issue among all the IP addresses Microsoft assessed is that they were all running Boa servers. Also, additional analysis showed that 10% of the IP addresses are connected to critical industries, such as the petroleum industry. This means that the threat actors are more interested in critical organizations where they have more opportunities to make more money when they succeed in breaching their systems.
Accordingly, the same IP addresses were used on IoT devices like routers that had unpatched flaws. The tech giant noted that it has continued to discover attacks that exploit Boa flaws. The increased attack on the vulnerability is a result of the high popularity of the Boa web servers, even after Boa was discontinued in 2005.
Within a week, Microsoft revealed that its Defender Threat Intelligence platform discovered more than 1 million internet-exposed Boa server components around the globe. While the largest number of the attacks were recorded in India, Microsoft also saw significant attack numbers in Brazil and the U.S.
Organizations Should Patch The Flaws To Avoid Being Exposed
Microsoft has also urged organizations to provide patches to the vulnerabilities to address the issue. The main duty comes down to the network operators who should provide a more effective means of protecting their networks from successful hacks. They have been advised to adopt stringent measures that can detect flaws in these devices before developing a patch.
Recorded Future also revealed that apart from targeting the power grid, the same threat actors targeted the national emergency response system, as well as the Indian subsidiary of the multinational logistics company.
Over 1 Million Boa Server Components Discovered Online In One Week
The threat actors accessed the internal network of the hacked entity through internet-exposed cameras on their networks as control and command (C2) servers.
To achieve their aim, the hackers infiltrated and co-opted the internet-facing DVR/IP camera devices for C2 of the Shadowpad malware infections. Additionally, they also used the open-source tool FastReverseProxy. The security team at Microsoft stated that Boa servers are pervasive across several IoT devices because of the inclusion of the web server in popular software development kits (SDKs).
Microsoft also revealed that over 1 million internet-exposed Boa server components were discovered online in one week. The researchers added that Boa servers are impacted by several known flaws such as information disclosure (CVE-2021-33558) and arbitrary file access (CVE-2017-9833).
The threat actors have continued to exploit the Boa vulnerabilities even after the timeframe of the report. This means that, despite the series of warnings, the vulnerability is still being widely exploited.
Threat actors can exploit the security vulnerability without authentication. They have the capability of executing the code remotely after stealing credentials with vital details on the targeted server.
These vulnerabilities have been abused several times in the past. In one of those exploits, the Hive ransomware gang hacked Tata-Power, which is the largest integrated power capacity.