Microsoft is sounding the alarm on a very specific cybersecurity threat, which serves as a warning to all companies about the security of the open source software (OSS) supply chain.
The Microsoft Threat Intelligence Center (MSTIC) has launched its own investigation into an April 2022 report by security solutions maker Recorded Future regarding a “likely Chinese state-sponsored” threat actor that has been targeting India’s energy sector for two years.
Recorded Future listed more than a dozen Network Indicators of Compromise (IOCs) observed between late 2021 and the first quarter of 2022. They were used in 38 intrusions against multiple organizations in the Indian energy sector.
The Boa web server was discontinued in 2005
Microsoft notes that the last related activity was in October 2022, and says its researchers have identified a “vulnerable component on all IP addresses published as IOCs” by Record Future and found evidence of a ” supply chain risk that can affect millions of organizations and devices.”
“We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and device login screens. Although it was discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of popular IoT (internet of things) devices and software development kits (SDKs). If developers don’t manage the Boa web server, its known vulnerabilities could allow attackers to silently access networks by harvesting information from files.
The Boa web server, a free software project, was discontinued in 2005. But 17 years later, it’s still present in a variety of popular IoT devices and software development kits (SDKs), according to MSTIC.
Microsoft suspects Boa remains popular in IoT devices
“Microsoft assesses that the Boa servers were running on IP addresses on the CIO list published by Recorded Future at the time of the report’s publication and that the power grid attack targeted exposed IoT devices running Boa,” Microsoft said. .
The Boa web server is often used to access settings and management consoles as well as device login screens. But since Boa is no longer maintained, devices or SDKs still using it will harbor all known vulnerabilities since the date of its retirement.
Microsoft suspects that Boa remains popular in IoT devices due to its presence in popular SDKs that contain system-on-chip (SOC) functions in microchips, used in low-power devices like routers.
“These vulnerabilities may allow attackers to execute code remotely”
A good example is RealTek’s SDKs, used in SOCs and supplied to companies that manufacture network gateways like routers, access points and repeaters. Critical flaw CVE-2021-35395 affected RealTek’s Jungle SDK, which included a Boa-based management interface. Although RealTek has released patches for the SDK, some manufacturers might not have included them in firmware updates. So there is a supply chain risk that Microsoft is concerned about.
According to Microsoft, attackers could exploit web server vulnerabilities to gain access to networks by harvesting information from files. Additionally, organizations can use networked devices without knowing that they are running services using Boa.
“While fixes for RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include fixes for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558),” Microsoft points out.
“These vulnerabilities may allow attackers to execute code remotely after gaining access to the device by reading the device’s ‘passwd’ file, or by accessing sensitive URIs in the web server to extract credentials. of a user. Additionally, these vulnerabilities require no authentication to be exploited, making them attractive targets. »
Source: ZDNet.com