Threat actors exploit discontinues Boa web servers to target critical infrastructure

Microsoft reported that hackers have exploited flaws in a now-discontinued web server called Boa in attacks against critical industries.

Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa.

The Boa web server is widely used across a variety of devices, including IoT devices, and is often used to access settings and management consoles as well as sign-in screens. The experts pointed out that Boa has been discontinued since 2005.

Researchers at Recorded Future observed several intrusion attempts on Indian critical infrastructure since 2020 and shared IOCs related to this campaign. Microsoft experts analyzed these IoCs and discovered that Boa servers were running on the IP addresses on the list of IOCs, they also explained that the electrical grid attack targeted exposed IoT devices running Boa.

Microsoft also discovered that half of the IP addresses in the list published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of a malicious tool identified by Recorded Future. 

“Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators.”reads the report published by Recorded Future. “Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.”

Microsoft experts explained that despite Boa being discontinued in 2005, many vendors across a variety of IoT devices and popular software development kits (SDKs) continue to use it.

The researchers identified over 1 million internet-exposed Boa server components around the world over the span of a week.

“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices.” reads the report published by Microsoft.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”

Boa is known to be affected by multiple flaws, including CVE-2017-9833 and CVE-2021-33558, which can allow unauthenticated attackers to read arbitrary files, obtain sensitive information, and gain remote code execution.

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network.” concludes the report.

“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Boa)

[adrotate banner=”5″]

[adrotate banner=”13″]