Researchers with Microsoft are warning that the Boa web server poses a security supply chain risk to Internet of Things (IoT) devices. Despite being discontinued and having various security flaws, the web server is continually used in a wide range of routers and cameras, as well as software development kits (SDKs), to access management consoles and device sign-in screens.
Microsoft identified the vulnerable open-source component when investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where attackers used IoT devices as a way to gain a foothold on operational technology (OT) networks. Upon closer look, Microsoft found that Boa web servers were running on all IP addresses that were published as IoCs in Recorded Future’s analysis. Microsoft researchers said the web server, discontinued in 2005, posed a security supply chain risk impacting millions of organizations and devices – and they identified 1 million internet-exposed Boa server components globally over the span of a week.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” according to Microsoft Security Threat Intelligence in a Tuesday analysis. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”
The attacks on Indian critical infrastructure detailed by Recorded Future started in 2020 and were observed as recently as October, said Microsoft. While looking at the IP