Threat Research

Vulnerable SDK components lead to supply chain risks in IoT and OT environments | Microsoft Security Blog

Securonix

Microsoft researchers warn that vulnerable Boa web servers embedded in IoT SDKs create supply-chain risk across critical infrastructure by enabling attackers to silently access networks and gather information. The post highlights Boa prevalence, CVEs in RealTek SDKs, Mirai activity, and defensive steps such as patching, asset discovery, and IoT/OT monitoring.
#BoaWebServer #RealtekSDK #CVE-2022-27255 #CVE-2021-35395 #Mirai #IoT #OT

Keypoints

  • The Boa web server, though discontinued since 2005, remains widely deployed across IoT devices and SDKs, including RealTek SDKs used in SOCs for gateways, routers, and cameras.
  • Over 1 million internet-exposed Boa server components were identified globally, revealing widespread exposure and supply-chain risk.
  • Some IP addresses exhibiting Boa-related activity showed suspicious HTTP response headers, suggesting active malicious use or probing.
  • Attackers leveraged Boa vulnerabilities to download malware (Mirai variants) and conducted brute-force attempts with default credentials on exposed devices.
  • The activity indicates Boa remains a target for intrusion, with attackers continuing to exploit it beyond initial reports.
  • Microsoft recommends patching, device discovery/classification, extended vulnerability detection beyond the firewall, reducing attack surface via segmentation, proactive antivirus, and predefined detection rules (e.g., Snort) to detect CVE-2022-27255.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Boa vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. “its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files.”
  • [T1110] Brute Force – attempts to connect with default credentials through brute force methods. “attempts to connect with default credentials through brute force methods”
  • [T1046] Network Service Discovery – collect information about network assets before initiating attacks. “collect information about network assets before initiating attacks”
  • [T1105] Ingress Tool Transfer – download a variant of the Mirai malware family shortly following the report’s release. “download a variant of the Mirai malware family shortly following the report’s release”
  • [T1059] Command and Scripting Interpreter – attempts to run shell commands. “attempts to run shell commands”
  • [T1078] Valid Accounts – gaining access to a network undetected by obtaining valid credentials. “gaining access to a network undetected by obtaining valid credentials”

Indicators of Compromise

  • [IP Address] context – 122.117.212.65, 103.58.93.133, and 7 more addresses

Read more: https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/