Security
Headlines
HeadlinesLatestCVEs

Headline

Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries

Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa. The tech behemoth’s cybersecurity division said the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.” The findings build on a prior report

The Hacker News
#vulnerability#web#microsoft#intel#backdoor#rce#The Hacker News

Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa.

The tech behemoth’s cybersecurity division said the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.”

The findings build on a prior report published by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India.

The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attack as unsuccessful “probing attempts,” China denied it was behind the campaign.

The connections to China stem from the use of a modular backdoor dubbed ShadowPad, which is known to be shared among several espionage groups that conduct intelligence-gathering missions on behalf of the nation.

Although the exact initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices.

Microsoft said its own investigation into the attack activity uncovered Boa as a common link, assessing that the intrusions were directed against exposed IoT devices running the web server.

“Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs),” the company said.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files.”

The latest findings once again underscore the supply chain risk arising out of flaws in widely-used network components, which could expose critical infrastructure to breaches via publicly-accessible devices running the vulnerable web server.

Microsoft further said it detected more than one million internet-exposed Boa server components worldwide in a single week, with significant concentrations in India.

The pervasive nature of Boa servers is attributed to the fact that they are integrated into widely-used SDKs, such as those from RealTek, which are then bundled with devices like routers, access points, and repeaters.

The complex nature of the software supply chain means that fixes from an upstream vendor may not trickle down to customers and that unresolved flaws could continue to persist despite firmware updates from downstream manufacturers.

Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution.

Weaponizing these unpatched shortcomings could further enable threat actors to glean more information about the targeted IT environments, effectively making way for disruptive attacks.

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” Microsoft said.

“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Retired Software Exploited To Target Power Grids, Microsoft

By Habiba Rashid Boa was discontinued in 2005 but remained popular and is now becoming a crisis because of the complex nature of how it was built into the IoT device supply chain. This is a post from HackRead.com Read the original post: Retired Software Exploited To Target Power Grids, Microsoft

Microsoft: Popular IoT SDKs Leave Critical Infrastructure Wide Open to Cyberattack

Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.

CVE-2022-32535: Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CVE-2021-33558: GitHub - mdanzaruddin/CVE-2021-33558.

** DISPUTED ** Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE: multiple third parties report that this is a site-specific issue because those files are not part of Boa.

CVE-2017-9833

** DISPUTED ** /cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.