"Hackers Breach Energy Orgs via Bugs in Discontinued Web Server"

Microsoft has announced that security flaws impacting a web server that has been discontinued since 2005 were used to target and compromise organizations in the energy sector. According to a report published in April by cybersecurity firm Recorded Future, state-backed Chinese hacking groups, including one identified as RedEcho, targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company. The attackers gained access to the hacked entities' internal networks by using Internet-exposed cameras on their networks as command-and-control (C2) servers. According to Recorded Future, the group likely compromised and co-opted Internet-facing DVR/IP camera devices for C2 of Shadowpad malware infections, and used the open-source tool FastReverseProxy, to accomplish this. Microsoft said the attackers took advantage of a flaw in the Boa web server, a software solution that has been discontinued but is still used by Internet of Things (IoT) devices such as routers and cameras. Since Boa is one of the components used for signing in and accessing IoT device management consoles, it significantly raises the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server. According to the Microsoft Security Threat Intelligence team, Boa servers are widespread across IoT devices due to the web server's inclusion in popular Software Development Kits (SDKs). More than 1 million Internet-exposed Boa server components were detected online worldwide in a single week, according to Microsoft Defender Threat Intelligence platform data. Several known vulnerabilities affect Boa servers, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). Attackers can exploit these security flaws without authentication to remotely execute code after stealing credentials by accessing sensitive files on the targeted server. This article continues to discuss the exploitation of security vulnerabilities in a discontinued server to compromise energy sector organizations. 

Bleeping Computer reports "Hackers Breach Energy Orgs via Bugs in Discontinued Web Server"