Microsoft Threat Intelligence Center (MSTIC) is warning users about a unique cybersecurity threat that also serves as a caution about open source software (OSS) security over the long term. In a blog post, MSTIC says it has been investigating a report from security firm Recorded Future since April 2022.
That report rose an alarm over a “likely Chinese state-sponsored” attack that has been hitting the energy sector in India for two years.
Microsoft Threat Intelligence Center says it found related activity during October 2022 and this is a “vulnerable component on all the IP addresses published as IOCs” and there is evidence of a “supply chain risk that may affect millions of organizations and devices.”
“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” Microsoft says.
Boa is an open source software web server that has been abandoned since 2005. Despite not being in use since 2005, it is still included on IoT devices and software development kits (SDKs) to this day.
“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft says.
Threat
Because Boa is unsupported but still alive and in use, it could have many vulnerabilities. MSTIC points out that threat actors could use these flaws to create attacks. Vulnerabilities in place since Boa was abandoned could be exploited to allow hackers to access networks by taking info from the server’s files.
This means an attacker could enter a victim system silently by using information obtained from Boa.
“While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” Microsoft adds.
“These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the “passwd” file from the device or accessing sensitive URIs in the web server to extract a user’s credentials. Moreover, these vulnerabilities require no authentication to exploit, making them attractive targets.”
Tip of the day: File History is a Windows back up feature that saves each version of files in the Documents, Pictures, Videos, Desktop, and Offline OneDrive folders. Though its name implies a primary focus on version control, you can actually use it as a fully-fledged backup tool for your important documents.
