Energy organizations hacked through discontinued web server vulnerabilities

Organizations in the energy industry, including various electrical grid operators in India, initially reported by Recorded Future to have been compromised by state-sponsored Chinese hacking groups were discovered by Microsoft researchers to be breached through the exploitation of vulnerabilities in the Boa web server, which has remained prevalent despite being discontinued in 2005, BleepingComputer reports. More than 1 million Boa server components remain exposed to the internet, with the server's pervasiveness attributed to its inclusion in widely used software development kits, a report from the Microsoft Security Threat Intelligence Team revealed. Several of the server's flaws, including an arbitrary file access bug, tracked as CVE-2017-9833, and an information disclosure vulnerability, tracked as CVE-2021-33558, could be leveraged to facilitate remote code execution, according to Microsoft. Such vulnerabilities were most recently exploited by the Hive ransomware operation in its attack against Tata Power, the largest integrated power firm in India, last month. "Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa," said Microsoft.