Microsoft may have retired the Boa web server in 2005, but that hasn’t stopped widespread use—and now the company is saying a vulnerability in the server’s open source component has been exploited by bad actors, targeting the energy industry and underscoring the continued vulnerability of the supply chain.
“Age-old vulnerabilities such as this provide a jumping-off point for attackers looking to move laterally to more sensitive areas by abusing the identity attack surface,” said Sharon Nachshony, security researcher at Silverfort. “With access to critical areas inside OT environments, their activities can quickly become significantly more impactful.”
“There is a long-standing supply chain risk to IoT and OT environments from legacy technology,” Nachshony said, which is why it’s critical to stay current with updates and fixes. “While hard to manage, given the abundance of such technology in critical industries, a rigorous patching regime is essential.”