Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks

Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.

Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.

When it released its report in April, Recorded Future shared some indicators of compromise (IoCs) to help organizations detect potential intrusions.

Microsoft has analyzed the IP addresses included in those IoCs and determined that they hosted Boa, an open source web server designed for embedded applications. The problem is that Boa has been discontinued since 2005, but it’s still present in many IoT devices.

“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft said in a blog post published on Tuesday.

An analysis conducted by the tech giant showed that some of the IP addresses were associated with vulnerable IoT devices, such as routers, housed by organizations in critical industries.

A Shodan search reveals hundreds of thousands of internet-exposed Boa web servers, including many in South Korea, Taiwan and the United States.

While Boa is no longer maintained, vulnerabilities are still being found in the web server, such as CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can lead to information disclosure.

According to Microsoft, an unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.

One major issue related to Boa is that its presence in a product may not even be known as it’s often included in popular SDKs. For instance, a Realtek SDK provided to companies that make routers, access points and other gateway devices includes the Boa web server. It’s worth noting that Realtek SDK vulnerabilities have been known to be exploited in attacks.

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” Microsoft said. “Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated.”

“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” it added.

Microsoft said it continues to see attacks targeting Boa vulnerabilities.

Recorded Future said that while it had not seen any evidence of industrial control system (ICS) networks being compromised in the attacks aimed at India’s energy sector, it could not rule it out. Now, Microsoft has also warned that the use of vulnerable components, such as Boa, could pose risks to IoT, as well as OT environments.

Related: Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks

Related: Security Camera Feeds Exposed Due to Flaw in SDK Used by Many Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.