Microsoft says discontinued Boa web server allows hackers to attack energy orgs

Microsoft confirmed that malicious hackers are exploiting a vulnerable open-source component in the discontinued web server Boa to target energy sector organizations. It said that one of the first attacks was executed by Chinese hackers on the Indian electric grid but also warned that the issue “may affect millions of organizations and devices.”

“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” says Microsoft in a blog post. “In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.”

Boa servers are found on usual Internet of Things (IoT) devices (e.g., security cameras, routers, and software development kits) though it has been retired since 2005. They are used to access settings and management consoles and sign-in screens of the devices.

Microsoft identified over 1 million internet-exposed Boa server components in just a week alone. Given this massive continuous use of the discontinued web server and other complexities, Microsoft admitted that mitigating the problem could be hard.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” Microsoft explains. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”

The energy sector is an attractive target for hackers, and Microsoft said that the vulnerability exploitation continues. With this, the Redmond company suggested to organizations at risk of attacks to establish their own protections. According to it, in addition to identifying the devices organizations are using that could be at risk of attacks, they need to execute patches and set up configurations to spot attacks easily. One of the first organizations to observe this is the U.S. Department of Energy, which started to make changes to strengthen its cybersecurity defenses better in March.