In a report released Tuesday, Microsoft researchers said they found an open-source vulnerable component in the Boa web server, which is still used in various routers and security cameras, as well as in popular software development kits (SDK). And this is all despite the fact that the component itself was no longer supported back in 2005.
The tech giant discovered the component while investigating cyberattacks on Indian power grids exposed by Recorded Future. Back then, Chinese state hackers were behind a series of attacks that attacked at least seven Indian control centers that control the power grid in real time.
Microsoft said it had identified a million Internet-attacked Boa server components worldwide within one week, warning that the vulnerable component was a supply chain risk that could affect millions of organizations and devices. The company added that it continues to see attackers attempt to exploit Boa vulnerabilities (CVE-2021-33558, CVE-2017-9833). These security holes allow attackers to conduct reconnaissance before launching attacks and quietly gain access to the network if they have the right credentials.
Microsoft said the last Boa attack it observed was the Tata Power hack in October. Then the Hive group published data on the dark web stolen from the largest integrated energy company in India. In the hands of the attackers was confidential information about employees, engineering drawings, financial and banking records, customer data and some private keys.
“We continue to see attackers attempt to exploit Boa vulnerabilities after the release of the report, which indicates that this vulnerability is still being exploited as an attack vector,” Microsoft said.
The IT giant now recommends that organizations and network operators close gaps in vulnerable devices whenever possible, identify devices with vulnerable components, and tune systems to detect malicious activity.