Boa Web Server Vulnerabiltiy - 20221128001

Overview

Microsoft is warning organizations about the risks associated with the discontinued Boa Web Server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

What is the vulnerability ?

According to Microsoft, an unauthenticated attacker could exploit these vulnerabilities to obtain user credentials and leverage them for remote code execution.

While Boa is no longer maintained, vulnerabilities are still being found in the web server, such as:

• CVE-2007-4915 - which allows remote attackers to change the admin password stored in memory via long username in an HTTP Basic Authenitcation request.
• CVE-2017-9833 - which allows for arbitrary file access, and
• CVE-2018-21027 - which allows remote attackers to trigger an out-of-memory (OOM) condition because the malloc is mishandled.

What is vulnerable ?

Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.

An analysis conducted by Microsoft showed that some of the IP addresses were associated with vulnerable IoT devices, such as routers, housed by organizations in critical industries.

A Shodan search reveals hundreds of thousands of internet-exposed Boa web servers, including many in South Korea, Taiwan and the United States. Within Australia however, there's approx 3,394; 200 of which are in Perth Western Australia.

What has been observed ?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

• Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on --- and upon review, consider blocking connection attempts to and from --- the external IP addresses and domains listed in the Insikt Group research.

• Recorded Future proactively detects and logs malicious server configurations in the Command and Control Security Control Feed. The Command and Control list includes tools used by TAG-38 and Chinese statesponsored threat activity groups, such as ShadowPad. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions.

• Monitor for consistent anomalous outbound traffic from your network to unusual servers, such as compromised DVR/IP camera systems in this case, which may be indicative of malware beaconing activity.

• Ensure software and firmware associated with IOT devices, such as DVR/IP camera systems, are kept up to date. Always change any default passwords to a strong, complex password and turn on two-factor authentication (2FA) if available. Where possible, avoid exposing these devices directly to the internet.

• Recorded Future Threat Intelligence, Third-Party Intelligence, and SecOps Intelligence module users can monitor real-time output from network traffic analysis analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners.

Reference

• Microsoft Boa Web Server https://www.theregister.com/2022/11/23/microsoft_boa_web_server/
• Recorded Future - Insikt Group Analysis
• Boa Web Server - Insikt Group - IOC's
• Recorded Future - Threat Analysis