Nearly 20-year-old, outdated web servers were responsible for last month’s intrusion on India’s largest integrated power company, Tata Power, Microsoft says.
Discontinued in 2005, Boa servers have been used to target and compromise several other critical infrastructure organizations globally, Microsoft said in its security blog.
Online digital threat analysis firm Recorded Future first reported in 2021 that Chinese state-sponsored groups were responsible for infecting India’s power supply companies with malware (see: India Fights Against Malware Targeting Power Supply).
The Microsoft Threat Intelligence Center warned that Boa servers were running on IP addresses found on the list of IOCs published last year by Recorded Future and that the electrical grid attack targeted exposed IoT devices running on Boa servers.
On Oct. 14, Tata Power disclosed that a cyberattack had hit its IT infrastructure affecting some of its IT systems. The attack did not affect its operations, but as a precautionary measure, the utility restricted access and performed preventive checks for employee and customer-facing portals and touchpoints, a company spokesperson told Information Security Media Group at the time.
Later that month, the Hive ransomware gang posted data on its dark web leak site and claimed the information had been stolen from Tata Power’s networks.
Message posted on the Hive dark web leak site (Source: ISMG)
The stolen data includes employee information such as emails, addresses, passports, phone numbers, payments, working hours, taxpayer’s information, confidential signed contracts, nondisclosure agreements and other sensitive documents, the Hive ransomware gang claimed on its leak site.
A Tata Power spokesperson declined to comment on the group’s claims and the latest findings by Microsoft.
Boa Server Vulnerabilities
Although it was formally discontinued in 2005, the Boa web server is still widely implemented across several IoT devices including routers to cameras, Microsoft says. These findings corroborate Recorded Future’s report, which says the threat group likely compromised an undisclosed Indian power company and exploited and co-opted internet-facing DVR/IP camera devices for command and control to spread ShadowPad malware infections.
Microsoft Defender threat intelligence identified over 1 million internet-exposed Boa server components around the world over a span of one week.
Microsoft identified over 1 million internet-exposed Boa server components worldwide. (Source: Microsoft)
The exploitation of these vulnerabilities is particularly concerning because attackers do not require any authentication to exploit them, making them attractive targets. The vulnerability also allows attackers remote code execution capabilities after gaining device access by reading the passwd file from the device and helping to exfiltrate critical server and user information.
Boa servers are often used to access settings and management consoles as well as sign-in screens of these devices.