Microsoft this week identified a gaping attack vector for disabling industrial control systems (ICS), which is unfortunately pervasive throughout critical infrastructure networks: the Boa Web server.
The computing giant has identified vulnerabilities in the server as the initial access point for successful attacks on the Indian energy sector earlier this year, carried out by Chinese hackers. But here’s the kicker: It’s a Web server that’s been discontinued since 2005.
It may seem strange that a nearly 20-year-old end-of-life server is still hanging around, but Boa is included in a range of popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for ICS, according to Microsoft. As such, it’s still used across myriad IoT devices to access settings, management consoles, and sign-in screens for devices on industrial networks — which leaves critical infrastructure vulnerable to attack on a large scale.
These include SDKs released by RealTek that are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, researchers noted.
In April, Recorded Future reported on attacks on the Indian power sector that researchers attributed to a Chinese threat actor tracked as RedEcho. The activity targeted organizations responsible for carrying out real-time operations for grid control and electricity dispatch within several northern Indian states, and it occurred throughout the year.
It turns out that the vulnerable component in the attacks was the Boa Web server. According to a Microsoft Security Threat Intelligence blog post published Nov. 22, the Web servers and the vulnerabilities they represent in the IoT component supply chain are often unbeknownst to developers and administrators who manage the system and its various devices. In fact, admins often don’t realize that updates and patches aren’t addressing the Boa server, the researchers said.
“Without developers managing the Boa Web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” researchers wrote in the post.
Making the Discovery
It took some digging to identify that the Boa servers were the ultimate culprit in the Indian energy-sector attacks, the researchers said. First they noticed that the servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future at the time of the release of the initial report last April, and also that the electrical grid attack targeted exposed IoT devices running Boa, they said.
Moreover, half of the IP addresses returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool that Recorded Future identified was used in the attack, the researchers noted.
Further investigation of the headers indicated that more than 10% of all active IP addresses returning the headers were related to critical industries — including the petroleum industry and associated fleet services — with many of the IP addresses assigned to IoT devices with unpatched critical vulnerabilities. This highlighted “an accessible attack vector for malware operators,” according to Microsoft.
The final clue was that most of the suspicious HTTP response headers that researchers observed were returned over a short time frame of several days, which linked them to likely intrusion and malicious activity on networks, they said.
Gaping Security Vulnerabilities in the Supply Chain
It’s no secret that the Boa Web server is full of holes — notably including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — that are unpatched and need no authentication to exploit, the researchers said.
“These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the ‘passwd’ file from the device or accessing sensitive URIs in the Web server to extract a user’s credentials,” they wrote.
“Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek’s SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks,” they said.
While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities — factors that also make the existence of Boa Web servers in ICS ripe for exploitation, researchers added.
Current Threat Activity and Mitigation
Microsoft’s research indicates that Chinese attackers have successfully targeted Boa servers as recently as late October, when the Hive threat group claimed a ransomware attack on Tata Power in India. And in their continued tracking of the activity, researchers continued to see attackers attempting to exploit Boa vulnerabilities, “indicating that it is still targeted as an attack vector” and will continue to be one as long as these servers are in use.
For this reason, it’s crucial for ICS network administrators to identify when the vulnerable Boa servers are in use and to patch vulnerabilities wherever possible, as well as take other actions to mitigate risk from future attacks, researchers said.
Specific steps that can be taken include using device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments that identify unpatched devices in the network and set workflows for initiating appropriate patch processes with solutions.
Administrators also should extend vulnerability and risk detection beyond the firewall to identify Internet-exposed infrastructure running Boa Web server components, researchers said. They also can reduce the attack surface by eliminating unnecessary Internet connections to IoT devices in the network, as well as applying the practice of isolating with firewalls all IoT and critical-device networks.
Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on devices; configuring detection rules to identify malicious activity whenever possible; and adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network.