Microsoft Corp. is warning that a long-discontinued web server is being targeted by hackers to gain access to industrial control systems, primarily in India.

As detailed Tuesday by the Microsoft Security Threat Intelligence unit, the attacks, first reported by Recorded Future in April, targeted web servers running Boa. If Boa web server doesn’t sound familiar, you’re not alone. It was discontinued in 2005, but it is still being used in “internet of things” devices, and unfortunately hackers know this.

According to the researchers, Boa web server continues to be implemented by different vendors across various IoT devices and software development kits. With zero development, limited patching in 17 years and full of known vulnerabilities, hackers are targeting devices with Boa installed to gain access to networks and steal information. Added to the mix is that many of those affected may be unaware that their devices run services using Boa web server.

The link between the April attacks on Indian companies and the targeting of insecure Boa installations was traced by the researchers using IP addresses. The data pointed to a combination of Boa and suspicious response headers, but where some were found is where the story takes a dark twist. More than 10% of active IP addresses related to critical industries, including the petroleum industry and associated fleet services.

The distribution of exposed Boa web servers is not limited to India, though it topped the list. The researchers identified more than 1 million internet-exposed Boa server components in the space of a week.

The surprising aspect remains that IoT device vendors are still using Boa today in new devices. One reason is that Boa is included in SDKs, which contain essential functions that operate system on chip implemented in microchips. Popular SDKs such as those released by Realtek Semiconductor Corp. include Boa and, although patches are available to address RealTek SDK vulnerabilities, other vendors either do not provide firmware updates or have not addressed Boa vulnerabilities.

Microsoft’s researchers recommend that along with patching vulnerable devices wherever possible, network operators should utilize discovery and classification to identify devices with vulnerable components. Vulnerability and risk detection should be extended beyond the firewall, the attack surface reduced and proactive antivirus scanning put in place.

“The downside of OpenSource software is that when it becomes a legacy product, it is rarely updated,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “If exploits are available, those systems are highly vulnerable.”

McQuiggan noted that SCADA systems in critical infrastructure environments are particularly susceptible because of the limited updates and downtime possible for them and can become a high-value target for cybercriminals.

“While other organizations may have updated and replaced their systems utilizing the seventeen-year-old open-source application, seeing them in SCADA environments and other critical infrastructure could still be a solid possibility,” he explained. “Organizations should audit their systems and software annually to ensure they are up to date and have low to no vulnerabilities.”

Photo: U.S. Fish and Wildlife Service/Flickr; image: Microsoft