Hackers target decades-old web server: millions of devices vulnerable, Microsoft warns

Microsoft is warning that a web server that's been discontinued for years but that's still widely used is being targeted by hackers.

Following a report of a suspected electrical grid intrusion in India from security firm Recorded Futures back in April, researchers from Microsoft's Security Threat Intelligence unit carried out a further analysis.

While also examining attempted breaches of a national emergency response system and a global logistics company's Indian subsidiary, they discovered a common feature: the use of the Boa web server on the IP addresses listed as indicators of compromise (IOC).

The hackers, says Microsoft, are gaining access to secure networks and devices through common IoT devices such as routers or cameras that have unpatched vulnerabilities.

And the reason they can do this is that Boa, an open-source web server designed for embedded applications, is still present in many of these devices, despite having been discontinued back in 2005.

This, say the researchers, represents “a supply chain risk that may affect millions of organizations and devices.” Indeed, over the course of a week, they found more than a million internet-exposed Boa server components around the world – mainly in India but also in large numbers in the US and Brazil.

In the case of the Indian energy hack, data obtained included sensitive employee information, financial records, client records, engineering drawings, and private keys. Recorded Future attributed it to a Chinese threat group called RedEcho.

Still in use with no management in sight

What's particularly worrying is that the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices, is still being implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs), despite the fact that it's no longer being managed by developers and has been largely unpatched for the last 17 years.

"Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities," the Microsoft team warns.

Even when the firmware of IoT devices is updated, this doesn't always patch SDKs or specific system-on-chip (SOC) components, and there's “limited visibility,” says Microsoft, into components and whether they can be updated.

Meanwhile, there are plenty of known CVEs affecting such components, allowing an attacker to collect information about network assets before initiating attacks.

And as Microsoft points out, "In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have a much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people."

The news highlights the fact that open-source software can often end up in limbo and un-updated, making it highly vulnerable.

According to a recent report from Sonatype, the increase in the use of open-source software has been mirrored by a rise in supply chain attacks, up 742 percent over the last three years. More than 1.2 billion vulnerable dependencies are downloaded each month, says the firm.

And while 68 percent of respondents were confident their applications weren't using vulnerable libraries, a random scan of enterprise applications showed that the same proportion actually had known vulnerabilities in their open-source software components.


Microsoft is advising organizations to patch vulnerable devices whenever possible and utilize device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments. They should also extend vulnerability and risk detection beyond the firewall.

The attack surface can be reduced by eliminating unnecessary internet connections to IoT devices in the network, while network segmentation can prevent an attacker from moving laterally and compromising assets after the intrusion. IoT and critical device networks should be isolated with firewalls.

Finally, says Microsoft, organizations should use proactive antivirus scanning to identify malicious payloads on devices and configure detection rules to identify malicious activity whenever possible.