Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.
In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.
Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.
When it released its report in April, Recorded Future shared some indicators of compromise (IoCs) to help organizations detect potential intrusions.
Microsoft has analyzed the IP addresses included in those IoCs and determined that they hosted Boa, an open source web server designed for embedded applications. The problem is that Boa has been discontinued since 2005, but it’s still present in many IoT devices.
“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft said in a blog post published on Tuesday.
An analysis conducted by the tech giant showed that some of the IP addresses were associated with vulnerable IoT devices, such as routers, housed by organizations in critical industries.
A Shodan search reveals hundreds of thousands of internet-exposed Boa web servers, including many in South Korea, Taiwan and the United States.
While Boa is no longer maintained, vulnerabilities are still being found in the web server, such as CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can lead to information disclosure.
According to Microsoft, an unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.
One major issue related to Boa is that its presence in a product may not even be known as it’s often included in popular SDKs. For instance, a Realtek SDK provided to companies that make routers, access points and other gateway devices includes the Boa web server. It’s worth noting that Realtek SDK vulnerabilities have been known to be exploited in attacks.
“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” Microsoft said. “Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated.”
“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” it added.
Microsoft said it continues to see attacks targeting Boa vulnerabilities.
Recorded Future said that while it had not seen any evidence of industrial control system (ICS) networks being compromised in the attacks aimed at India’s energy sector, it could not rule it out. Now, Microsoft has also warned that the use of vulnerable components, such as Boa, could pose risks to IoT, as well as OT environments.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Tags: