Microsoft this week identified a gap attack vector that defeats industrial control systems (ICS). This is unfortunately spread across a critical infrastructure network: the Boa web server.
The computing giant has identified a vulnerability in its servers as the first access point for a successful attack on India’s energy sector by Chinese hackers earlier this year. But the bottom line is that this is his post-2005 obsolete web server.
It may seem strange that a used server that is almost 20 years old is still hanging around, but Boa is the developer of a variety of common software development tools that developers of Internet of Things devices use to design critical servers. Included in the kit (SDK). A component of ICS, according to Microsoft. As such, it is still used in countless of his IoT devices to access settings, management consoles and sign-in screens for devices on industrial networks. This leaves critical infrastructure vulnerable to large-scale attacks.
The researchers note that these include SDKs released by RealTek that are used in SOCs offered to companies that manufacture gateway devices such as routers, access points and repeaters.
April, the future recorded Reported Researchers believe that the attack on India’s power sector came from a Chinese threat actor tracked as RedEcho. This activity targeted organizations responsible for performing real-time operations of grid control and distribution within several states in northern India and occurred throughout the year.
The vulnerable component of the attack turned out to be the Boa web server.According to Microsoft Security Threat Intelligence blog post Web servers and the vulnerabilities they represent in IoT components, published Nov. 22 Supply chain Developers and administrators who manage the system and its various devices are often unaware of them. In fact, researchers say, administrators are often unaware that updates and patches are not compatible with Boa servers.
“If the developer does not control the Boa web server, known vulnerabilities in it could allow attackers to gain covert network access by gathering information from files,” the researchers said. wrote in the post.
make a discovery
It took some research to pinpoint the Boa servers as the ultimate culprit in the attack on India’s energy sector, researchers say. We noticed that servers were running on IP addresses on the list of indicators of compromise (IoC) published by Recorded Future at the time of the release of , and that attacks on the power grid targeted the exposed IoT devices. rice field. Running a boa, they said.
Additionally, half of the IP addresses returned suspicious HTTP response headers. The researchers note that this may be related to the aggressive deployment of malicious tools identified by Recorded Future that were used in the attack.
Upon further investigation of the headers, we found that more than 10% of all active IP addresses returning headers were associated with important industries (such as the oil industry and related fleet services). Many of the IP addresses were assigned to IoT devices with severe unpatched vulnerabilities. This highlighted an “attack vector accessible to malware operators,” according to Microsoft.
The final clue is that most of the suspicious HTTP response headers the researchers observed were returned within a short timeframe of a few days, potentially leading to intrusions and malicious activity on the network. they said.
Security Vulnerability Gap in the Supply Chain
It’s no secret that the Boa web server is full of holes. In particular, any file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — unpatched and does not require authentication to exploit, researchers say.
“These vulnerabilities allow attackers to remotely execute code after gaining device access by reading the ‘passwd’ file from the device or by accessing sensitive URIs on the web server to extract user credentials. ,” they wrote.
Patches for the RealTek SDK vulnerabilities are available, but some vendors may not include them in their device firmware updates, and the updates do not include patches for the Boa vulnerability. This is also what makes the presence of the Boa web server within ICS ripe for exploitation. added the researcher.
Current threat activity and mitigation
According to Microsoft research, Chinese attackers recently targeted Boa servers in late October. hive threat group claimed a ransomware attack against India’s Tata Power. Researchers who track activity continuously also continue to see attackers attempting to exploit Boa’s vulnerabilities, with “Boa still being targeted as an attack vector,” and these This indicates that the vulnerability will persist as long as these servers are in use.
For this reason, ICS network administrators should identify when vulnerable Boa servers are being used, patch the vulnerabilities where possible, and take other steps to mitigate the risk of future attacks. is important, say the researchers.
Specific steps you can take include enabling vulnerability assessment to identify unpatched devices in your network and setting up workflows to initiate the appropriate patching process in your solution. Includes using detection and classification to identify devices with vulnerable components.
Administrators should also extend vulnerability and risk detection beyond firewalls to identify internet-facing infrastructure running Boa web server components, the researchers said. . He can also reduce his attack surface by eliminating unnecessary internet connections to his IoT devices in the network and applying techniques to firewall and isolate all IoT and critical device networks.
Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on the device. Configure detection rules to identify malicious activity wherever possible. It also employs a comprehensive IoT and OT solution to monitor devices, respond to threats, increase visibility, and detect when IoT devices with Boa are used as entry points into the network. to warn you.