Still using a discontinued Boa web server? Microsoft warns of supply chain attacks

Microsoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology.

Those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities

Researchers with Microsoft's Security Threat Intelligence unit examined an April report from cybersecurity company Recorded Future about the intrusion efforts into India's power grid dating back to 2020 and, more recently, into a national emergency response system and a global logistics company's Indian subsidiary.

Recorded Future attributed the attacks on the power grid to a Chinese threat group called RedEcho using the ShadowPad backdoor malware to compromise IoT devices.

The Microsoft researchers, digging into the report, detected a vulnerable component – the Boa web server – on the IP addresses listed as indicators of compromise (IOC). They wrote in their own analysis this week that they "found evidence of a supply chain risk that may affect millions of organizations and devices."

Boa is an open-source web server designed for embedded applications and used to access settings, management consoles, and sign-in screens in devices. It was discontinued in 2005 but is still being used by vendors in a range of IoT devices and popular SDKs, they wrote.

You might not even know it's happening

"Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," the researchers wrote. "Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities."

In this case, Microsoft reviewed the IP addresses Recorded Future included in the list of IOCs and linked many back to IoT devices like routers that included unpatched vulnerabilities. All the published IP addresses were compromised by various attackers using different tactics that included downloading a variant of the Mirai IoT botnet malware, attempts to use default credentials for brute-force attacks, and efforts to run shell commands.

"Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector," the analysts wrote.

• WASP malware stings Python developers
• Eggheads show how network flaw could lead to NASA crew pod loss. Key word: Could
• Shocker: EV charging infrastructure is seriously insecure
• SolarWinds reaches $26m settlement with shareholders, expects SEC action

Boa is still widely used, with Microsoft detecting more than 1 million internet-exposed Boa server components around the world. It's particularly common in IoT devices like routers and cameras.

A reason could be that Boa is used in SDKs, which are not always patched even when the IoT device's firmware is updated. It's also difficult to tell whether device components can be or have been updated. An example is RealTek's SDKs, which include Boa and are used in SoCs by companies that make gateway devices like routers, access points, and repeaters.

Attackers over the past few years have targeted devices that use RealTek's SDKs.

Among the known Boa web server vulnerabilities are CVE-2017-9833 and CVE-2021-33558, which could enable attackers to remotely run code after gaining access to the device by reading its "passwd" file or stealing user credentials after access sensitive URIs in the web server. These flaws can be exploited without needing user authentication.

Being able to collect data from critical infrastructure networks without being detected can lead to attacks that are highly disruptive, costing millions of dollars and impacting millions of people and companies.

"The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network," the researchers wrote. "Updating the firmware of IoT devices does not always patch SDKs or specific [SoC] components and there is limited visibility into components and whether they can be updated."

Vulnerabilities in the software supply chain have been highlighted in recent years by breaches at SolarWinds and Kaseya and amplified by the Log4j vulnerability. In its annual data breach report, Verizon noted that 62 percent of attacks that involve device or system intrusions began with cybercriminals exploiting flaws in partners' systems. ®