New research from Microsoft has tied a series of attacks in India that occurred in April to outdated Boa web servers. In April, state-backed Chinese hacking groups targeting the Indian National Emergency Response System as well as multiple Indian electrical grid operators and logistics companies. The report from Recorded Future indicated that the threat actors “likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open-source tool FastReverseProxy”. While Recorded Future did not elaborate on the initial attack vector, Microsoft has since indicated that the compromise stemmed from a vulnerable component in the Boa web server.
Boa Web Server is a web server that was discontinued in 2005. Although being discontinued, Boa web servers are still pervasive in Internet of Things (IoT) devices, being used as one of the components for signing in an accessing their management consoles. Microsoft assesses that the web servers are likely so pervasive in these devices due to Boa’s inclusion in popular software development kits (SDKs). Boa web servers are affected by several known vulnerabilities including CVE-2017-9833 (arbitrary file access) and CVE-202133559 (information disclosure). Microsoft has noted that the vulnerabilities in Boa are being actively exploited, with one of the latest cases where it was used by Hive Ransomware to breach Tata Power.