Microsoft has warned that cybercriminals are exploiting a long-downtime web server, and on Tuesday, on the company’s blog, it published an analysis where it said Microsoft researchers had discovered a vulnerable component in the open-source Boa web server.
What is the Boa web server?
It’s an open-source web server, which is still widely used in a range of platforms. Routers and security cameras, as well as popular software development kits (SDKs), although the software has been out of business since 2005.
The US tech giant identified the component while investigating a suspected hack into an Indian electrical grid, which was first detailed by Recorded Future in April, in which attackers, sponsored by China’s government, exploited Internet of Things devices to gain a foothold on the Internet. Operational technology networks are used to monitor and control industrial systems.
Microsoft said it had identified 1 million Boa server components vulnerable to exploitation globally in just one week, warning that the vulnerable component poses a “supply chain risk that could affect millions of organizations and devices.”
Microsoft said: “Known vulnerabilities affecting these components could allow attackers to gather information about network assets before launching attacks, and gain access to a network undetected by obtaining valid credentials.” It added that this could increase the influence of the attackers immediately after the start of the attack.
Microsoft said the most recent attack it noticed was the Tata Power hack last October.
This breach led to the publication of the Hive ransomware group, stolen data from the Indian energy giant, and the data included sensitive employee information, engineering drawings, financial and banking records, customer records, and some private keys.
“Microsoft continues to witness attackers attempting to exploit Boa vulnerabilities,” the company said. The company warned that mitigating Boa’s flaws is difficult due to the continued popularity of the now-defunct web server, and the complex nature of how to include it in the supply chain of IoT devices.
Microsoft recommends that organizations and network operators patch vulnerable devices if possible, identify devices with vulnerable components, and configure detection rules to identify malicious activity.
It is noteworthy that Microsoft’s warning once again highlights the supply chain risks posed by vulnerabilities in widely used network components. Log4Shell, an exploit that was exploited last year in Log4j, the open-source Apache logging library, is estimated to have affected more than three billion devices.