November 24, 2022

Microsoft is warning organizations about the risks associated with the decommissioned Boa web server, which was apparently exploited by threat actors in an operation targeting the energy sector.

Despite the software’s retirement in 2005, Microsoft researchers discovered a vulnerable open-source component in the Boa web server, which is still widely used in a variety of routers and security cameras, as well as popular software development kits (SDKs).

Microsoft also looked into the IP addresses associated with those IoCs and discovered that they were hosting Boa, an open-source web server designed for embedded applications. The issue is that while Boa has been decommissioned since 2005, it is still present in many IoT devices.

While Boa is no longer maintained, vulnerabilities in the web server continue to be discovered, including CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can result in information disclosure.

An unauthenticated attacker, according to Microsoft, could exploit these vulnerabilities to obtain user credentials and use them for remote code execution.

The flaw was discovered while investigating a possible Indian electric grid intrusion in which Chinese state-sponsored attackers used IoT devices to gain access to operational technology (OT) networks, which are used to monitor and control physical industrial systems.

Other targets included a number of State Load Despatch Centres (SLDCs), which are in charge of grid control and electricity dispatch. Through access to supervisory control and data acquisition (SCADA) systems, these SLDCs maintain grid frequency and stability.

The sources for this piece include an article in TechCrunch.