Microsoft Security Vulnerabilities in Web Server discontinued since 2005 used to target and compromise organizations in the energy sector

Wednesday, November 23, 2022 • 8:40 EST

Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. Boa being one of the components used for signing in and accessing the management consoles of IoT devices, significantly increases the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server. "To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy" While Recorded Future didn't expand on the attack vector, Microsoft said today that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2015 that's still being used by IoT devices (from routers to cameras). The Microsoft Security Threat Intelligence team said today that Boa servers are pervasive across IoT devices mainly because of the web server's inclusion in popular software development kits (SDKs). As cybersecurity company Recorded Future revealed in a report published in April, state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company. According to Microsoft Defender Threat Intelligence platform data, more than 1 million internet-exposed Boa server components were detected online worldwide within a single week. "In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said. "Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa." ( Continue reading.

Related Technology news

You may also be interested in Automation Republican Motorsports Tsunami Chagas Wonder Woman Game of Thrones Yamaha