State-backed Chinese hacking groups have used the Boa web server to target several Indian electrical grid operators (for example Tata Power Company Limited, India), compromising an Indian national emergency response system and a logistics company subsidiary.
Boa Web Server Vulnerabilities
Hackers breached the targeted networks through Internet-exposed cameras on their networks as command-and-control servers. They used a vulnerability in the web server, a software solution that, even if it was discontinued in 2015, is still used by IoT devices (from routers to cameras).
“The group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy,” Recorded Future said.
Boa is one of the components used for signing in and accessing the management consoles of IoT devices. This raises the breaching risk of critical infrastructure by leveraging vulnerable and Internet-exposed devices.
In a single week, more than 1 million internet-exposed Boa server components were detected.
The software solution is affected by multiple flaws, among them arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). Hackers can use these flaws with no authentication “to execute code remotely after stealing credentials by accessing files with sensitive information on the targeted server,” according to Bleeping Computers.