Microsoft comes with a warning that a long discontinued web server is being targeted by hackers to gain access to ICS.
The targeted web servers running Boa. If Boa web server doesn’t sound familiar, you’re not alone. It was discontinued in 2005, but it is still being used in IoT devices.
Boa web server continues to be implemented by different vendors across various IoT devices and software development kits. With zero development, limited patching in 17 years and full of known vulnerabilities, hackers are targeting devices with Boa installed to gain access to networks and steal information.
During the trace activity, more than 10% of active IP addresses related to critical industries, including the petroleum industry and associated fleet services are running with Boa Web servers
Existence of Boa web servers is not limited to India, though it topped the list. The researchers identified more than 1 million internet-exposed Boa server components in the space of a week.
The IoT device vendors are still using Boa in new devices. One reason is that Boa is included in SDKs, which contain essential functions that operate system on chip implemented in microchips. Popular SDKs such as those released by Realtek Semiconductor Corp. include Boa and, although patches are available to address RealTek SDK vulnerabilities, other vendors either do not provide firmware updates or have not addressed Boa vulnerabilities.
Microsoft’s researchers recommend that along with patching vulnerable devices wherever possible, network operators should utilize discovery and classification to identify devices with vulnerable components.
Vulnerability and risk detection should be extended beyond the firewall, the attack surface reduced and proactive antivirus scanning put in place.