Cybercriminals Exploit Microsoft Boa Server, Target Indian Power Grid

Microsoft released a statement on Tuesday indicating vulnerabilities in its Boa server. The statement comes after cybercriminals allegedly targeted India’s energy infrastructure exploiting the same vulnerabilities. 

Although Microsoft discontinued Boa web servers in 2005, they’re still used in software development kits (SDKs), routers, and security cameras.   

Since discontinued servers can’t patch their vulnerabilities with regular security updates, cybercriminals have been actively targeting infrastructures using them. 

Microsoft’s Boa Server Vulnerability Report

While Microsoft publicly admits the vulnerabilities for the first time with the statement issued Tuesday, cybersecurity experts had identified attacks exploiting the Boa server in April 2022. During those attacks, Chinese state-sponsored cybercriminals had hacked into Internet-of-things (IoT) devices regulating India’s power infrastructure.

Unfortunately, cybercriminals find Microsoft security vulnerabilities easy to exploit. In the report issued on Tuesday, titled ‘​​Vulnerable SDK components lead to supply chain risks in IoT and OT environments,’ Microsoft has outlined some vulnerabilities, including Boa servers, suspicious IP addresses, and vulnerable SDKs. 

According to the report, Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world. High concentrations of Boa servers are in India, South Korea, and Taiwan. 

Exploiting these vulnerabilities, cybercriminals use shell commands and brute-force attacks to take over control of critical operations. 

Moreover, the report also shows suspicious IP address headers, 10% of which belong to critical infrastructure industries, such as petroleum, electricity, and fleet services. 

The list of suspicious IP addresses includes:

• 122[.]117[.]212[.]65
• 103[.]58[.]93[.]133
• 125[.]141[.]38[.]53
• 14[.]45[.]33[.]239
• 14[.]55[.]86[.]138
• 183[.]108[.]133[.]29
• 183[.]99[.]53[.]180
• 220[.]94[.]133[.]121
• 58[.]76[.]177[.]166

Other vulnerabilities include SDK vulnerabilities: CVE-2021-35395 (related to Realtek’s SDK) and CVE-2022-27255, a zero-click overflow vulnerability that reportedly affects millions of devices globally. 

To make matters worse, SDKs may have embedded Boa web servers. One such SDK that manufacturers use in making routers, access points, and other gateway devices is the Realtek SDK. 

Cybercriminals have frequently exploited the Realtek SDK to launch code, compromise devices, deploy botnets, and move horizontally across networks. 

Exploiting Known Security Vulnerabilities

Recorded Future, a cybersecurity company, had earlier provided evidence of Chinese state-sponsored cyberattacks against the Indian power grid in a detailed report. 

The report highlighted attacks against State Load Despatch Centres (SLDCs), which are responsible for carrying out grid control and electricity dispatch operations. 

Essentially, the SLDCs maintain grid frequency and stability by accessing Supervisory Control and Data Acquisition (SCADA) systems. 

Tata Power Company—The Potential Target

Though investigators haven’t confirmed it yet, many believe the Microsoft Boa server vulnerability to be the cause of the attack against Tata Power Company Limited in October. 

In a regulatory filing dated Oct. 14, 2022, the power conglomerate stated:

“The Tata Power Company Limited had a cyber attack on its IT infrastructure impacting some of its IT systems. The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer facing portals and touch points.”

These attacks have mainly affected the northern Indian region. They started in late 2021 and have continued throughout 2022. 

However, Recorded Future asserted in a statement that the Microsoft Boa server isn’t the only security vulnerability that cybercriminals have used to target the Indian OT infrastructure:

“In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group…To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy”

How to Protect Yourself Against Security Vulnerabilities?

Towards the end of the vulnerability report, Microsoft has outlined recommendations to counter exploitative attacks:

• Patch vulnerable devices frequently 
• Identify devices with vulnerable components using Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint software
• Remove unnecessary internet connections to reduce the overall attack surface 
• Use antivirus software regularly 
• Set rules to detect suspicious activity
• Adopt a secure Internet-of-Things solution to prevent cybercrime variants 
• Detect internet-exposed infrastructure with boa server components beyond the firewall using specialized software. 

As opposed to conducting social engineering or brute-force attacks, cybercriminals can easily exploit security vulnerabilities without encountering much resistance. And, despite the extensive reporting of such cases, security vulnerabilities continue to exist. 

Unfortunately, firmware updates don’t patch SDKs or specific components of a given product. This means that even if companies adopt security practices, certain threats will remain. 

Additionally, cybercriminals routinely exploit older Microsoft products using multiple attack vectors. 

In such a situation, businesses need to hire dedicated security providers to conduct a thorough assessment of network security. Following this, business owners can protect customers’ sensitive data. 

Safeguarding Critical Infrastructure

In recent years, attacks on critical infrastructures, like electricity distribution, petroleum, and gas, have increased. Critical infrastructure protection has become a need of the hour in the face of more damaging cyberattacks. 

Surprisingly, security patches do exist that identify and fix vulnerabilities, but businesses rarely use them. As a consequence, cybercriminals easily infiltrate these vulnerable networks and retrieve information. 

Ensuring complete network protection against such attacks would be essential for the widespread adoption of the IoT economy.