Microsoft is sounding the alarm about a very specific cybersecurity threat that serves as a warning to all companies about the security of the open source software (OSS) supply chain.
Microsoft Threat Intelligence Center (MSTIC) has launched its own investigation into an April 2022 report by security solutions maker Recorded Future about a “probably Chinese-sponsored” attacker that targeted India’s energy sector for two years.
Recorded Future has listed more than a dozen network indicators of compromise (IOC) observed between the end of 2021 and the first quarter of 2022. They were used in 38 incursions against several organizations in the Indian energy sector.
The Boa web server was discontinued in 2005.
Microsoft notes that the latest related activity was in October 2022, and says its researchers have identified a “vulnerable component on all IP addresses published as IOCs” by Record Future and found evidence of “a supply chain risk that could affect millions of organizations and devices.” “.
“We assessed the vulnerable component as the Boa web server, which is often used to access settings and management consoles, as well as device login screens. Although the Boa web server was discontinued in 2005, it continues to be implemented by various vendors on various popular IoT (Internet of Things) devices and software development kits (SDKs). If developers don’t manage the Boa web server, its known vulnerabilities could allow attackers to silently access networks by harvesting information from files.
The Boa Web Server, a free software project, was discontinued in 2005. But 17 years later, it is still present in various popular IoT devices and software development kits (SDKs), according to MSTIC.
Microsoft Suspects Boa Remains Popular in IoT Devices
“Microsoft estimated that Boa’s servers were running on IP addresses on the CIO list published by Recorded Future at the time of the report’s release, and that the power grid attack targeted open IoT devices running Boa,” Microsoft said in a statement.
The Boa web server is often used to access settings and management consoles, as well as device login screens. But since Boa is no longer maintained, devices or SDKs still using it will contain all known vulnerabilities since its decommissioning.
Microsoft suspects that Boa remains popular in IoT devices due to its presence in popular SDKs that contain system-on-a-chip (SOC) functions in microchips used in low-power devices such as routers.
“These vulnerabilities could allow attackers to remotely execute code”
A good example is the RealTek SDKs used in SOCs and supplied to companies that make network gateways such as routers, access points, and repeaters. Critical vulnerability CVE-2021-35395 affected the RealTek Jungle SDK, which included a Boa-based management interface. Although RealTek has released fixes for the SDK, some manufacturers may not include them in firmware updates. So there is a supply chain risk that Microsoft is concerned about.
Attackers can exploit web server vulnerabilities to gain access to networks by harvesting information from files, according to Microsoft. Also, organizations can use network devices without knowing they are running services with Boa.
“While patches for RealTek SDK vulnerabilities are available, some vendors may not include them in firmware updates for their devices, and updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including random file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” Microsoft notes.
“These vulnerabilities could allow attackers to remotely execute code after gaining access to a device by reading the device’s ‘passwd’ file or accessing sensitive URIs on a web server to extract user credentials. In addition, these vulnerabilities do not require authentication to exploit, making them attractive targets. »