Current Activity

Threat actors exploiting discontinued Boa web servers to target IoT devices

Indian - Computer Emergency Response Team (cert-in.org.in)

It has been reported that implementations of "Boa web server" by different vendors across a variety of IoT devices and popular software development kits (SDKs) can pose a supply chain risk that may affect large number of organizations and devices.

Boa is an open-source small-footprint web server that is suitable for embedded applications which is discontinued since 2005. Boa web server is implemented across devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. Boa web servers are still used in software development kits (SDKs), routers, and security cameras.

Boa web servers are affected by several known vulnerabilities including CVE-2017-9833 (arbitrary file access) and CVE-2021-33559 (information disclosure). These vulnerabilities may allow unauthenticated attackers to execute code remotely after gaining device access by reading the "passwd" file from the device or accessing sensitive URIs in the web server to extract a user's credentials.

Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known vulnerabilities impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials.

Indicators of Compromise

The following IP addresses were reportedly used for implementing vulnerable Boa servers:

122[.]117[.]212[.]65

103[.]58[.]93[.]133

125[.]141[.]38[.]53

14[.]45[.]33[.]239

14[.]55[.]86[.]138

183[.]108[.]133[.]29

183[.]99[.]53[.]180

220[.]94[.]133[.]121

58[.]76[.]177[.]166

Recommendations:

Patch vulnerable devices whenever possible to reduce exposure risks across your organization.

Utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes.

Extend vulnerability and risk detection beyond the firewall. Organizations can identify internet-exposed infrastructure running Boa web server components in their inventory.

Reduce the attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.

Use proactive antivirus scanning to identify malicious payloads on devices.

Adopt a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure.

References