This week, Microsoft warned that millions of 17-year-old web server implementations are vulnerable to intrusion. Hackers have exploited the open-source Boa web server, commonly used by Internet of Things (IoT) devices, to allow users to access settings, admin consoles, and sign-in screens.
Microsoft focused on this threat following an investigation into the Future Report recorded in April 2022. It details a malicious cyber activity against the Indian power grid by a Chinese government-backed group. IP addresses and indicators of compromise share Recorded Future uncovers use of the abandoned Boa web server.
The company says that even though the vulnerable Boa server was retired in 2005, it is still included in popular software development kits (SDKs) and leveraged across a host of IoT devices such as routers, cameras, and access points. I discovered that Supply chain security issues.
Redmond has identified over one million Internet-facing Boa web servers. If you search on Shodan, 1.58 million results.
The October 2020 blackout in India’s financial capital Mumbai was suspected to have been caused by a cyber attack by a Chinese threat actor.
According to an assessment by Recorded Future, since December 2021, Chinese threat actors have used the ShadowPad Trojan three times against power grids in India’s Ladakh sector without success. The same hackers also compromised the national emergency response system and the Indian subsidiary of a multinational logistics company.
Most recently, a Hive ransomware gang targeted Tata Power, a prominent Indian power company, in October 2022. steal / divulge Employee’s personally identifiable information (PII), salary details, national identification document number (Aadhar), PAN (Unique Tax Identifier), company financial data, some engineering drawings, etc.
KnowBe4 security awareness advocate James McQuiggan explained why in an interview with Spiceworks News and Insights. critical infrastructure Supply chain risks can occur. “The downside of open source software is that when it comes to legacy products, they are rarely updated. If exploits are available, those systems are very vulnerable.”
McQuiggan adds: Other organizations may be taking advantage of his 17-year-old open source application to update and replace systems, but seeing them in SCADA environments and other critical infrastructure is still a certainty. There is a possibility. “
In addition to aggressive cyberattacks on critical infrastructure, supply chain risk There are probably millions of organizations deploying IoT devices configured with vulnerable SDKs. Microsoft provides an example of how security gaps in the upstream RealTek SDK, which organizations rely on to build the underlying system-on-a-chip (SoC), permeate devices such as routers, access points, and repeaters. showed.
Boa Web Server IoT Supply Chain Vulnerability | | sauce: microsoft
see next: US government rolls out new framework to strengthen software supply chain security
In an interview with Spiceworks News and Insights, Cerberus Sentinel biometrics specialist Sami Elhini emphasized the importance of adopting a secure-by-design approach to development to avoid future problems.
Elhini recalls: why? Because it hadn’t been maintained in 12 years! That’s a serious red flag. “
“But these aren’t the only red flags. You just have to read the documentation and decide that it served one purpose and that is to be fast. Thanks to the industries I have worked in, security has always been a necessity and designing solutions is considered as important as solving problems .”
Sonatype’s 8th Annual Software Supply Chain Report reveals a spike in attacks against open source projects in public repositories. 633% YoY He pointed out that software has an average annual growth rate of 742%. supply chain attack Since 2019.
However, this does not necessarily mean that open source is always susceptible to threats. “Every product has risks,” Elhini said. OSS is considered risky because its code is open to everyone. Closed source software is not immune to vulnerabilities and most of the time the world doesn’t know about vulnerabilities until they are exploited.There are risks anyway .”
As McQuiggan pointed out, attacks via open source tools are related to lack of timely updates.Additionally, the scale of open source projects such as Log4j, Apache Commons text, OpenSSL, spring coreand so on, which can blow the problem out of proportion.
Boa Server, an open source project for embedded system applications, can lead ignorant people to denounce open source. But it’s important to recognize one simple fact. It was abandoned in 2005. So the blame lies with the people he decided to continue using it after 17 years.
As Elhini explains to Spiceworks: “Having a cybersecurity culture is the only thing that can mitigate these risks. , extend into the development process and permeate system administration and monitoring activities.”
As an additional step, McQuiggan recommends that organizations maintain software and hardware risk registries, auditing their systems and software annually to keep them up to date, and finding and remediating vulnerabilities. I suggested.
Elhini concludes: Does that mean there are no risks associated with OSS? No, there are always risks with all technologies. Asking Microsoft about OSS is like asking the opposing candidate who to vote for. ”
Let us know if you enjoyed reading this news LinkedIn, twitterAlso Facebook. I look forward to hearing from you.
Image Source: Shutterstock
