Tata Power Attack Linked to Bug in Nearly 20-Year-Old ServerMicrosoft Confirms 2021 Report, Says 1 Million Boa Servers Still Online Globally
Nearly 20-year-old, outdated web servers were likely responsible for last month's intrusion on India's largest integrated power company, Tata Power, Microsoft says.
Discontinued in 2005, Boa servers have been used to target and compromise several other critical infrastructure organizations globally, Microsoft said in its security blog.
Online digital threat analysis firm Recorded Future first reported in 2021 that Chinese state-sponsored groups were responsible for infecting India's power supply companies with malware (see: India Fights Against Malware Targeting Power Supply).
The Microsoft Threat Intelligence Center warned that Boa servers were running on IP addresses found on the list of IOCs published last year by Recorded Future and that the electrical grid attack targeted exposed IoT devices running on Boa servers.
On Oct. 14, Tata Power disclosed that a cyberattack had hit its IT infrastructure affecting some of its IT systems. The attack did not affect its operations, but as a precautionary measure, the utility restricted access and performed preventive checks for employee and customer-facing portals and touchpoints, a company spokesperson told Information Security Media Group at the time.
Later that month, the Hive ransomware gang posted data on its dark web leak site and claimed the information had been stolen from Tata Power's networks.
The stolen data includes employee information such as emails, addresses, passports, phone numbers, payments, working hours, taxpayer's information, confidential signed contracts, nondisclosure agreements and other sensitive documents, the Hive ransomware gang claimed on its leak site.
Hive ransomware gang uses a Ransomware-as-a-Service model wherein its affiliates are known to target critical infrastructures. The Hive operators have hit more than 1,300 companies worldwide, collecting around $100 million in ransom payments, a recent joint alert from the Cybersecurity and Infrastructure Security Agency, the FBI and the Department of Health and Human Services says (see: Feds Alert Healthcare, Other Sectors of Growing Hive Threats).
A Tata Power spokesperson declined to comment on the group's claims and the latest findings by Microsoft.
In a Nov. 24 update, however, a Microsoft spokesperson told ISMG that it "does not specifically attribute" the Tata Power attack to the exploitation of Boa, despite linking to a news story about the October cyberattack in its blog post. "The recent attack on Tata Power is evidence of a trend in targeting Indian electrical grid assets and operations. Microsoft’s blog post uses data from Recorded Future's April 2022 report of intrusion activity on Indian critical infrastructure, and presents Microsoft's findings,” the spokesperson clarified.
Boa Server Vulnerabilities
Although it was formally discontinued in 2005, the Boa web server is still widely implemented across several IoT devices including routers to cameras, Microsoft says. These findings corroborate Recorded Future's report, which says the threat group likely compromised an undisclosed Indian power company and exploited and co-opted internet-facing DVR/IP camera devices for command and control to spread ShadowPad malware infections.
Microsoft Defender threat intelligence identified over 1 million internet-exposed Boa server components around the world over a span of one week.
The exploitation of these vulnerabilities is particularly concerning because attackers do not require any authentication to exploit them, making them attractive targets. The vulnerability also allows attackers remote code execution capabilities after gaining device access by reading the
passwd file from the device and helping to exfiltrate critical server and user information.
Boa servers are often used to access settings and management consoles as well as sign-in screens of these devices.