In an analysis published on Tuesday, Microsoft researchers said they had discovered a vulnerable open-source component in the Boa web server, which is still widely used in a range of routers and security cameras, as well as popular software development kits (SDKs), despite the software’s retirement in 2005. The technology giant identified the component while investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where Chinese state-sponsored attackers used IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.

Microsoft said it has identified one million internet-exposed Boa server components globally over the span of a one-week period, warning that the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.”

The company added that it continues to see attackers attempting to exploit Boa flaws, which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833).

“The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” Microsoft said, adding that this can allow the attackers to have a “much greater impact” once the attack is initiated.

Microsoft said the most recent attack it observed was the compromise of Tata Power in October. This breach resulted in the Hive ransomware group publishing data stolen from the Indian energy giant, which included sensitive employee information, engineering drawings, financial and banking records, client records, and some private keys.

“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector,” Microsoft said.

The company has warned that mitigating these Boa flaws is difficult due to both the continued popularity of the now-defunct web server and the complex nature of how it is built into the IoT device supply chain. Microsoft recommends that organizations and network operators patch vulnerable devices where possible, identify devices with vulnerable components, and to configure detection rules to identify malicious activity.

Microsoft’s warning again highlights the supply chain risk posed by flaws in widely-used network components. Log4Shell, a zero-day vulnerability that was last year identified in Log4j, the open-source Apache logging library, is estimated to have potentially affected upwards of three billion devices.