Boa’s Forgotten Web Servers Become a Threat to Critical Industries

Boa's Forgotten Web Servers
Written by Carina Wilson

Microsoft analysts report that vulnerabilities in Boa’s Forgotten Web Servers, which were deprecated in 2005, are being used to hack organizations in the energy sector.

Back in 2021, Recorded Future discovered a Chinese hack group that was attacking power grids in India. In April 2022, the same researchers published a new report describing attacks launched by another “government hacker” from China against the Indian energy sector.

Then the attackers attacked several Indian power grid operators, compromised the national emergency response system, as well as a subsidiary of an unnamed logistics company.

Let me remind you that we also said that Chinese Government Hackers Successfully Spy on Organizations in Europe, Australia and Southeast Asia, and also that China uses the Great Cannon again for DDoS attacks.

Recorded Future specialists did not report anything about the attack vector used by the hackers, but now Microsoft Security Threat Intelligence analysts write that the attackers used a vulnerable component of the Boa open-source web server. Its development was discontinued back in 2005, but Boa is still used by many IoT devices (from routers to smart cameras), as it is included in popular SDKs.

Since Boa is one of the components used to log in and access IoT device management, this greatly increases the risk of hacking critical infrastructure with vulnerable IoT devices running a vulnerable web server.

According to Microsoft, in just a week, more than 1 million Boa server components were discovered worldwide, accessible via the Internet.

Boa's Forgotten Web Servers

Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). Microsoft continues to see how attackers try to exploit vulnerabilities in Boa <...>, meaning the web server is still an attack vector.the researchers write.

Essentially, an unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and then use them to remotely execute code. For example, in one of the latest attacks using these vulnerabilities, Hive ransomware operators compromised Tata Power, India’s largest energy company.

The attack, detailed in the Recorded Future report, was one of several attempts to invade India’s critical infrastructure since 2020. At the same time, the last attack was confirmed in October 2022. The popularity of the Boa web server is indicative of the potential risk that an insecure supply chain carries, even if best practices are applied to devices on the network.analysts write.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment