While investigating a compromise in the Indian Power grid in Ladakh that happened in April, Microsoft researchers discovered that attackers are exploiting the Boa web server, used widely in a range of IoT devices, including routers and security cameras, to target power grids and organisations in the sector.
The Boa web server contains a vulnerable open-source component that can be easily exploited. Despite being retired back in 2005, the web server is still popularly used in routers, security cameras and even a few popular software development kits (SDKs).
The researchers’ analysis revealed two vulnerabilities in Boa, one high-severity information disclosure bug tracked as CVE-2021-33558, and another arbitrary file access flaw tracked as CVE-2017-9833. Their report suggests that attackers are actively trying to exploit the aforementioned vulnerabilities.
Additionally, the RealTek SDK used to program SOCs used in devices like routers, access points, and repeaters that use the Boa web server also has two major vulnerabilities tracked as CVE-2021-35395 and CVE-2022-27255. While Realtek did issue patches to fix these weaknesses, they still reportedly affect millions of devices worldwide. Further, Realtek’s patches only solve part of the problem, as Boa’s web server vulnerabilities aren’t patched with these fixes.
In the short span of a week, the researchers were able to pinpoint nearly one million Boa server components globally that are publicly exposed on the internet. This poses a supply chain attack risk that can affect millions of organisations running critical infrastructure worldwide.
According to Microsoft, the most recent example of the type of attacks these vulnerabilities can open is the Hive ransomware gang’s attack on Tata Power, another Indian critical infrastructure organisation and subsidiary of the Tata Group.