Attackers are using decommissioned Boa web server on energy grids

Share post:

Microsoft is warning organizations about the risks associated with the decommissioned Boa web server, which was apparently exploited by threat actors in an operation targeting the energy sector.

Despite the software’s retirement in 2005, Microsoft researchers discovered a vulnerable open-source component in the Boa web server, which is still widely used in a variety of routers and security cameras, as well as popular software development kits (SDKs).

Microsoft also looked into the IP addresses associated with those IoCs and discovered that they were hosting Boa, an open-source web server designed for embedded applications. The issue is that while Boa has been decommissioned since 2005, it is still present in many IoT devices.

While Boa is no longer maintained, vulnerabilities in the web server continue to be discovered, including CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can result in information disclosure.

An unauthenticated attacker, according to Microsoft, could exploit these vulnerabilities to obtain user credentials and use them for remote code execution.

The flaw was discovered while investigating a possible Indian electric grid intrusion in which Chinese state-sponsored attackers used IoT devices to gain access to operational technology (OT) networks, which are used to monitor and control physical industrial systems.

Other targets included a number of State Load Despatch Centres (SLDCs), which are in charge of grid control and electricity dispatch. Through access to supervisory control and data acquisition (SCADA) systems, these SLDCs maintain grid frequency and stability.

The sources for this piece include an article in TechCrunch.

Featured Tech Jobs


Related articles

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Abuse of valid accounts by threat actors hits a high, says IBM

Attackers are finding that obtaining valid credentials is an easier route to achieving their goals, s

Cyber Security Today, Feb. 21, 2024 – A patch warning from ConnectWise, the latest ransomware news, and more

This episode reports on a report comparing business email compromise attacks against ransomware

UK leads takedown of LockBit ransomware gang’s website

The LockBit ransomware gang’s website has been seized, several news agencies reported late Monday. The Reuters news agency and The Register are carrying stories based on a new splash screen that has appeared on the gang’s website. It says, “This site is now under the control of the National Crime Agency of the UK, working

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways