Barely a few months after Tata Power reported a cyberattack on its installations, Microsoft has now warned that hackers are exploiting an old web server found across some common IoT devices to target companies operating in the energy sector.
Microsoft researchers claim to have discovered an open source component in the Boa web service that continues to be widely used in a range of routers and security cameras in addition to popular software development kits. The vulnerable component had been retired at least 17 years ago 2005 but hasn’t been updated.
The company identified the component while probing the Tata Power grid intrusion. In a report published earlier this week, Microsoft said its researchers identified the faulty component during a probe of the suspected grid intrusion at Tata Power where a Chinese state-sponsored attacker used IoT devices to gain access to the operational technology networks.
A million instances within a week
The report said thus far a million internet-exposed Boa server components have been found at a global level within a span of just one week. Microsoft warned that the vulnerable component posed a supply chain risk that could potentially affect millions of organizations as well as many millions of devices globally.
Readers may recall that Tata Power had confirmed the cyberattack impacting some of its IT systems. It announced that the teams had taken steps to retrieve and restore them. “All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer-facing portals and touchpoints,” it had said in a statement.
The company, which generates, transmits and retails power across multiple locations in India and has set its sights on doubling its clean energy to 60%of its current capacity within the next five years, did not share any specifics of the cyberattack at that point in time.
Tata Power attack wasn’t a small one
However, now Microsoft has come out with this report which also claims that it perceives more attackers attempting to exploit these Boa flaws that includes a high-severity information disclosure bug and another arbitrary file access flaw.
“The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” says Microsoft while also noting that this can allow the attackers to have a “much greater impact” once the attack is initiated.
The big tech company said the latest instance of such an attack happened during the Tata Power instance in October, where the breach reportedly resulted in the Hive ransomware group publishing data stolen from the enterprise. The data included sensitive staff information, some engineering drawings, financial and bank records, customer records and some private keys.
The company’s report has warned that mitigating the Boa flaws could be tough due to the popularity of the now-defunct web server as well as the complex manner in which it has been built into the IOT device supply chain. Microsoft has therefore recommended that companies and network operators patch vulnerable devices where possible, identify devices and vulnerable components and configure detection rules to locate any malicious activity.