Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks

Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.

Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.

When it released its report in April, Recorded Future shared some indicators of compromise (IoCs) to help organizations detect potential intrusions.

Microsoft has analyzed the IP addresses included in those IoCs and determined that they hosted Boa, an open source web server designed for embedded applications. The problem is that Boa has been discontinued since 2005, but it’s still present in many IoT devices.

“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft said in a blog post published on Tuesday.

An analysis conducted by the tech giant showed that some of the IP addresses were associated with vulnerable IoT devices, such as routers, housed by organizations in critical industries.

A Shodan search reveals hundreds of thousands of internet-exposed Boa web servers, including many in South Korea, Taiwan and the United States.

While Boa is no longer maintained, vulnerabilities are still being found in the web server, such as CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can lead to information disclosure.

According to Microsoft, an unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.

One major issue related to Boa is that its presence in a product may not even be known as it’s often included in popular SDKs. For instance, a Realtek SDK provided to companies that make routers, access points and other gateway devices includes the Boa web server. It’s worth noting that Realtek SDK vulnerabilities have been known to be exploited in attacks.

“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” Microsoft said. “Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated.”

“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people,” it added.

Microsoft said it continues to see attacks targeting Boa vulnerabilities.

Recorded Future said that while it had not seen any evidence of industrial control system (ICS) networks being compromised in the attacks aimed at India’s energy sector, it could not rule it out. Now, Microsoft has also warned that the use of vulnerable components, such as Boa, could pose risks to IoT, as well as OT environments.

Related: Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks

Related: Security Camera Feeds Exposed Due to Flaw in SDK Used by Many Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.