New research from Microsoft has tied a series of attacks in India that occurred in April to outdated Boa web servers. In April, state-backed Chinese hacking groups targeting the Indian National Emergency Response System as well as multiple Indian electrical grid operators and logistics companies. The report from Recorded Future indicated that the threat actors “likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open-source tool FastReverseProxy”. While Recorded Future did not elaborate on the initial attack vector, Microsoft has since indicated that the compromise stemmed from a vulnerable component in the Boa web server.
Boa Web Server is a web server that was discontinued in 2005. Although being discontinued, Boa web servers are still pervasive in Internet of Things (IoT) devices, being used as one of the components for signing in an accessing their management consoles. Microsoft assesses that the web servers are likely so pervasive in these devices due to Boa’s inclusion in popular software development kits (SDKs). Boa web servers are affected by several known vulnerabilities including CVE-2017-9833 (arbitrary file access) and CVE-202133559 (information disclosure). Microsoft has noted that the vulnerabilities in Boa are being actively exploited, with one of the latest cases where it was used by Hive Ransomware to breach Tata Power.
This new research from Microsoft highlights two of the main issues that plague the cybersecurity industry – legacy software/hardware and the Internet of Things.
First, we’ll touch on legacy software/hardware. Legacy software/hardware is old software that is still in use within an environment. While in this case, it was likely unknowingly used by the breached companies due to being within 3rd party devices, legacy software/hardware is something that most large corporations have in their environment due to their being no recent replacement for their own applications. This software/hardware is often vulnerable as it ages without updates, which can leave an environment as a whole vulnerable.
While legacy software/hardware is what was responsible for the breach in this case, the larger issue challenging the cybersecurity industry is the Internet of Things (IoT). In simple terms, the Internet of Things is essentially a network of physical objects that are not computers/servers that are connected to the internet – such as cameras, smart TVs, smart thermostats, etc. As was seen in this breach, these devices are often not made with security in mind and these devices are often not the most up to date. As IoT devices are becoming more and more prevalent in enterprise environments, this leads to a greater amount of potential attack vectors for a threat actor, making the environment less secure. As an organization, it is best practice to attempt to decommission legacy software/hardware wherever possible, finding similar current solutions or rotating it out entirely in favor of something completely new. It is also advised to properly vet and test and new devices that are going to be connected to the network, and ensure they are properly configured with the least amount of privilege possible.