Microsoft Unearths Over 1M Outdated But Still In-Use Boa Web Servers


This week, Microsoft warned that millions of web server implementations outdated for 17 years are vulnerable to intrusion. Hackers are exploiting the open-source Boa web servers commonly used in internet of things (IoT) devices to enable user access to settings, management consoles and sign-in screens.

Microsoft zeroed in on the threat following an investigation into an April 2022 Recorded Future report that detailed malicious cyberactivity against India’s electric grids by Chinese state-sponsored groups. The IP addresses and indicators of compromise sharedOpens a new window by Recorded Future led them to uncover the use of the abandoned Boa web servers.

The company found that the vulnerable Boa servers, despite being discontinued in 2005, are still built into popular software development kits (SDKs) and are thus leveraged across a host of IoT devices such as routers, cameras, access points, and more, making it a supply chain security issue.

Redmond identified over one million internet-exposed Boa web servers. A search on Shodan delivers over 1.58 million resultsOpens a new window .

A cyberattack by Chinese threat actors is suspected of having caused the October 2020 blackout in India’s financial capital Mumbai amid a high-altitude standoff due to border disputes between the two most-populated countries.

Recorded Future’s assessment revealed that since December 2021, Chinese threat actors had used the ShadowPad trojan against the Indian power grid in the Ladakh sector thrice, albeit unsuccessfully. The same hackers also compromised a national emergency response system and an Indian subsidiary of a multinational logistics company.

More recently, the Hive ransomware gang targeted Tata Power, a prominent Indian power company, in October 2022, stealing and leakingOpens a new window employees’ personally identifiable information (PII), salary details, their national identification document numbers (Aadhar), PAN (a unique tax identifier), the company’s financial data, some engineering drawings, etc.

Speaking with Spiceworks News and Insights, James McQuiggan, security awareness advocate at KnowBe4, explained why critical infrastructure could be prone to supply chain risks. “The downside of OpenSource software is that when it becomes a legacy product, it is rarely updated. If exploits are available, those systems are highly vulnerable.”

McQuiggan added, “Especially with SCADA systems in critical infrastructure environments, they are susceptible because of the limited updates and downtime possible for them and can become a high-value target for cybercriminals. While other organizations may have updated and replaced their systems utilizing the seventeen-year-old open-source application, seeing them in SCADA environments and other critical infrastructure could still be a solid possibility.”

Besides active cyberattacks against critical infrastructure, a supply chain risk exists to possibly millions of organizations that have deployed IoT devices configured using vulnerable SDKs. Microsoft gave an example of how security gaps in the upstream RealTek SDK leveraged by organizations to build underlying systems on a chip (SoC) can trickle down into devices such as routers, access points, and repeaters.

Boa Web Server IoT Supply Chain Vulnerabilities | Source: MicrosoftOpens a new window

See More: U.S. Government Rolls Out Fresh Framework to Boost Software Supply Chain Security

Speaking with Spiceworks News and Insights, Sami Elhini, biometrics specialist at Cerberus Sentinel, highlighted the importance of incorporating a secure-by-design approach to development to avoid future troubles.

Elhini recollected, “I am personally familiar with BOA because when I was designing a handheld device in 2017, I evaluated it and quickly deselected it. Why? Because it hadn’t been maintained for twelve years! That’s a major red flag.”

“However, those aren’t the only red flags, one only needs to read its documentation to determine that it served one purpose: to be fast. That in and of itself cannot be the sole criteria for product selection, sadly, in so many instances it is. By virtue of the industries I have worked in, security has always been a necessity and when designing solutions is considered as important as solving the problem.”

The 8th Annual State of the Software Supply Chain Report from Sonatype revealed that attacks against open-source projects in public repositories surged 633% year-over-yearOpens a new window and noted a 742% average yearly increase in software supply chain attacks since 2019.

However, this doesn’t necessarily mean open-source is perennially susceptible to threats. Elhini added, “All products have risks. OSS is thought to be risky because its code is available for all to see, however, that also means security researchers and analysts have full access to it as well. Closed source software is not immune to vulnerabilities and for the most part the world will never know about one until it is exploited. Either way there are risks.”

As McQuiggan pointed out, attacks through open-source tools have more to do with the lack of timely updates. Moreover, the scale at which open-source projects, such as Log4jOpens a new window , Apache Commons Text, OpenSSL, Spring Core, etc., are used across a wide array of products could blow the issue out of proportion.

Boa server being an open-source project for embedded system applications may lead the oblivious to blame open-source. But it is crucial to recognize one simple fact: it was abandoned in 2005. So the liability lies with those who decided to continue using it 17 years later.

“The bottom line is that ‘OSS is bad’ is not a strategy that will lead to security,” Elhini explained to Spiceworks. “Having a culture of cybersecurity is the only thing that can mitigate these risks. That doesn’t start with analyzing your existing systems, it starts with how they are designed and flows through component and product selection, extends into your development processes and should be pervasive in your systems management and monitoring activities.”

As an additional step, McQuiggan suggested organizations maintain a software and hardware risk registry and annually audit respective systems and software to stay up to date and uncover and fix any vulnerabilities.

Elhini concluded, “It’s not surprising Microsoft would raise alarms about OSS as it is the biggest threat to their existence. Does that mean there aren’t risks associated with OSS? No, there are always risks associated with every piece of technology. Asking Microsoft about OSS is like asking opposing candidates who you should vote for.” 

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock