In a succession of malicious incidents, Chinese threat actors tracked as RedEcho have hitherto utilized the unsafe and pervasive Boa server to penetrate the electrical grid in India. DarkReading reported the exploit where the computing giant Microsoft could distinguish an immense attack vector recognized as the Boa Web server pervasive around the critical infrastructure networks and responsible for disabling industrial control systems (ICS). Microsoft identified the Boa Web server as the culprit behind triumphant attacks on the Indian energy sector earlier this year in April, gaining initial access via the server vulnerabilities. The cyberattack jeopardized organizations liable for real-time manoeuvring operations for grid control and electricity dispatch within several northern Indian states.
Discovering the threat actor:
In a peculiar twist of events, the Boa Web server has been discontinued since 2005, and it is mystifying how a 20-year-old life server is still lingering around. Microsoft reiterated that Boa is incorporated in a series of sought-after software developer kits (SDKs) utilized in the manufacturing design of precarious components for ICS by the Internet of Things (IoT) device developers. The Boa Web server finds its functionality in multiple IoT devices for managing consoles, accessing settings, and industrial network’s sign-in screens rendering critical infrastructure endangered to large-scale attacks.The SDKs disseminated by RealTek implemented in SOCs delivered to manufacturing companies of devices such as routers, access points, and repeaters also employ the Boa Web Server. The discovery that the Boa servers were the utmost delinquent in the Indian energy-sector attacks took some time. The first step was observing that the Boa servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future and that the compromised electrical grid-attacked IoT devices were running Boa Server. This was confirmed by observing that half of the exposed IP addresses returned suspicious HTTP response headers hinting at an alliance with the operative deployment of the malicious tool stated by Recorded Future. Detailed inspection of the headers stipulated that more than 10% of all the active IP addresses returning the unsafe headers belonged to critical industries comprising petroleum and associated fleet serves. The unpatched perilous vulnerabilities of IoT devices served as an accessible attack vector for malware operators. The culminating step in the discovery was the short return time of the sceptical HTTP response headers in several days, linking them to invasion and malicious activity on networks.
Attack Operation:
A Microsoft Security Threat Intelligence blog post highlights that the vulnerabilities existing in the IoT component supply chain owing to the Web Servers are mysterious for the developers and administrators who are the managers of the system along with its devices. Administrators are unaware that the updates and patches are not tackling the Boa server permitting the misuse of its susceptibilities by the attackers to attain silent access for gathering information from files. The presence of unpatched and unauthenticated arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) serve as security gaps in the Boa Web Server, sanctioning attackers for the remote execution of code.
The malicious threat actors gain access to the device by using the “passwd” file from the device or utilizing sensitive Boa Server URIs to extract a user’s credentials. Egregious vulnerabilities such as CVE-2021-35395 affected the digital administration of millions of devices globally using RealTek’s SD and zero-click overflow CVE-2022-27255. Consequently, this leads to the launching of codes, compromised devices, deploying botnets, and later operating throughout the network. The absence of patches for the RealTek SDK and Boa vulnerabilities in the device firmware updates resulted in ICS exploitation. Microsoft, in its research, indicated a recent ransomware attack on the Boa Server of Tata Power in India carried out by the Chinese Hive group. The continuous monitoring of attacks brought into light the targeting of Boa vulnerabilities acting as the attack vector. Keeping this in mind, it has become vital for ICS network administrators to pinpoint and eradicate the Boa Server vulnerabilities diminishing the risk of future attacks.
Mitigating the Boa-Server vulnerabilities:
Particular measures to mitigate Boa vulnerabilities include device discovery and classification to recognize unprotected device components and to exercise vulnerability assessments of unpatched devices in the networks. The developers should maintain a proper workflow with solutions befitting the patch process. Vulnerability and risk assessment should also be implemented beyond the firewall to locate internet-exposed infrastructure running the Boa Web server components. Terminating the futile IoT devices’ internet connections and isolating firewalls in the critical-device networks reduces the attack surface. Applying proactive antivirus scanning of malicious payloads, detection configuration rules for malicious activity, and adoption of comprehensive IoT and OT solutions for monitoring devices increases the visibility of entry point IoT devices operating on the Boa Web server.