{"id":49436,"date":"2022-11-23T19:00:10","date_gmt":"2022-11-23T19:00:10","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/still-using-a-discontinued-boa-web-server-microsoft-warns-of-supply-chain-attacks\/"},"modified":"2022-11-23T19:00:10","modified_gmt":"2022-11-23T19:00:10","slug":"still-using-a-discontinued-boa-web-server-microsoft-warns-of-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/still-using-a-discontinued-boa-web-server-microsoft-warns-of-supply-chain-attacks\/","title":{"rendered":"Still using a discontinued Boa web server? Microsoft warns of supply chain attacks"},"content":{"rendered":"

Microsoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology.<\/p>\n

\n

Those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities<\/p>\n<\/blockquote>\n

Researchers with Microsoft’s Security Threat Intelligence unit examined an April report<\/a> from cybersecurity company Recorded Future about the intrusion efforts into India’s power grid dating back to 2020 and, more recently, into a national emergency response system and a global logistics company’s Indian subsidiary.<\/p>\n

Recorded Future attributed<\/a> the attacks<\/a> on the power grid to a Chinese threat group called RedEcho using the ShadowPad backdoor malware to compromise IoT devices.<\/p>\n

The Microsoft researchers, digging into the report, detected a vulnerable component \u2013 the Boa web server \u2013 on the IP addresses listed as indicators of compromise (IOC). They wrote in their own analysis<\/a> this week that they “found evidence of a supply chain risk that may affect millions of organizations and devices.”<\/p>\n

Boa is an open-source web server designed for embedded applications and used to access settings, management consoles, and sign-in screens in devices. It was discontinued in 2005 but is still being used by vendors in a range of IoT devices and popular SDKs, they wrote.<\/p>\n

You might not even know it’s happening<\/h3>\n

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” the researchers wrote. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”<\/p>\n

In this case, Microsoft reviewed the IP addresses Recorded Future included in the list of IOCs and linked many back to IoT devices like routers that included unpatched vulnerabilities. All the published IP addresses were compromised by various attackers using different tactics that included downloading a variant of the Mirai<\/a> IoT botnet malware, attempts to use default credentials for brute-force attacks, and efforts to run shell commands.<\/p>\n