Microsoft released a statement on Tuesday indicating vulnerabilities in its Boa server. The statement comes after cybercriminals allegedly targeted energy infrastructure in India exploiting the same vulnerabilities.
Although Boa web servers were discontinued by Microsoft in 2005, they are still used in software development kits (SDKs), routers, and security cameras.
Because down servers cannot patch their vulnerabilities with regular security updates, cybercriminals have actively targeted the infrastructures that use them.
Boa server vulnerability report from Microsoft
While Microsoft publicly acknowledges the vulnerabilities for the first time in the statement released on Tuesday, cybersecurity experts identified attacks exploiting the Boa server in April 2022. During those attacks, Chinese state-sponsored cybercriminals compromised Internet of Things (IoT) devices. Regulating energy infrastructure in India.
Unfortunately, cybercriminals find it easy to exploit Microsoft vulnerabilities. In the report released on Tuesday, entitled ‘Vulnerable SDK components create supply chain risks in IoT environments and operational applicationsMicrosoft has identified some vulnerabilities, including Boa servers, suspicious IP addresses, and vulnerable SDKs.
According to the report, the Microsoft Defender Threat Intelligence platform has identified more than 1 million Boa server components that are vulnerable to the Internet around the world. High concentrations of Boa servers are located in India, South Korea, and Taiwan.
Exploiting these vulnerabilities, cybercriminals use shell commands and brute force attacks to take control of critical processes.
Moreover, the report also shows suspicious IP addresses, 10% of which belong to critical infrastructure industries, such as petroleum, electricity, and fleet services.
The list of suspicious IP addresses includes:
Other vulnerabilities include SDK vulnerabilities: CVE-2021-35395 (related to Realtek’s SDK) and CVE-2022-27255, a zero-click bypass vulnerability that is said to affect millions of devices globally.
To make matters worse, SDKs may contain built-in Boa web servers. The Realtek SDK is one of the SDKs that manufacturers use in making routers, access points, and other gateway devices.
Cybercriminals have frequently exploited the Realtek SDK to release code, hack devices, deploy botnets, and move horizontally across networks.
Exploit known security vulnerabilities
Cybersecurity firm Recorded Future had earlier provided evidence of Chinese state-sponsored cyberattacks against India’s power grid in a detailed report.
The report highlighted the attacks that targeted the state’s load transmission centers, which are responsible for carrying out network control operations and sending electricity.
Essentially, SLDCs maintain network frequency and stability by accessing supervisory control and data acquisition (SCADA) systems.
Tata Energy – potential target
Although it has not yet been confirmed by investigators, many believe that the Microsoft Boa server vulnerability was the reason for the attack on Tata Power Company Limited in October.
In a regulatory filing dated October 14, 2022, the energy conglomerate stated:
|“Tata Power Company Limited has been subjected to a cyberattack on its IT infrastructure affecting some of its IT systems. The company has taken steps to restore and restore systems. All critical operating systems are functional; however, as an ample precaution, access restrictions and precautionary checks have been put in place for staff and customer facing gateways and touchpoints.”|
These attacks mainly affected the northern region of India. They began in late 2021 and will continue throughout 2022.
However, Recorded Future confirmed in a statement that Microsoft’s Boa server is not the only vulnerability that cybercriminals have used to target Indian OT infrastructure:
|“In addition to targeting power grid assets, we also identified Compromise of the National Emergency Response System and the Indian branch of a multinational logistics company by the same threat activity group… To achieve this, the group likely compromised and selected counter DVR/IP camera devices. Internet control and control (C2) of Shadowpad malware infections, as well as use of the open source FastReverseProxy tool”|
How do you protect yourself from security vulnerabilities?
Towards the end of the vulnerabilities report, Microsoft outlined recommendations for countering exploits:
- Patch vulnerable devices frequently
- Identify devices with vulnerable components using Microsoft Defender Vulnerability Management and Microsoft Defender Endpoint Software
- Remove unnecessary internet connections to reduce the overall attack surface
- Use antivirus software regularly
- Set rules for detecting suspicious activity
- Adopting a secure solution for the Internet of Things to prevent cybercrime variants
- Find out which infrastructure is vulnerable to the Internet using boa server components outside the firewall using specialized software.
Unlike performing social engineering or brute force attacks, cybercriminals can easily exploit vulnerabilities without encountering much resistance. And despite the extensive reporting of such cases, security vulnerabilities still exist.
Unfortunately, firmware updates do not patch specific SDKs or components for a specific product. This means that even if companies adopt security practices, there will still be certain threats.
In addition, cybercriminals routinely exploit outdated Microsoft products using multiple attack vectors.
In such a situation, companies need to hire specialized security providers to conduct a comprehensive network security assessment. Then, business owners can protect customers’ sensitive data.
Protecting critical infrastructure
In recent years, attacks on critical infrastructure, such as electricity distribution, oil and gas, have increased. Protecting critical infrastructure has become the need of the hour in the face of more malicious cyber attacks.
Surprisingly, security patches do exist that identify and fix security vulnerabilities, but companies rarely use them. As a result, cybercriminals easily infiltrate these vulnerable networks and recover information.
Ensuring that the network is fully protected against such attacks will be essential to the widespread adoption of the IoT economy.