New iLOBleed rootkit targeting HP enterprise servers with data erasure attacks


A previously unknown rootkit has been found targeting Integrated Lights-Out (iLO) server management technology from Hewlett-Packard Enterprise to conduct nature-based attacks that corrupt firmware modules and completely erase data from devices. infected systems.

The discovery, which is the first real-world instance of malware in iLO firmware, was documented by Iranian cybersecurity company Amnpardaz this week.

“There are many aspects of iLO that make it an ideal utopia for malware and APT groups: extremely high privileges (above any level of access in the operating system), very high access. low level to hardware, totally out of sight of administrators and security tools, the general lack of knowledge and tools to inspect and / or protect iLO, the persistence it offers so that the malware remains even after a operating system change, and in particular always being running and never shutting down, “the researchers said.

GitHub automatic backups

Besides server management, the fact that iLO modules have broad access to all firmware, hardware, software, and operating systems (OS) installed on the servers make them an ideal candidate for entering organizations using HP servers. , while still allowing malware to maintain persistence after reboots and survive operating system reinstalls. However, the exact modus operandi used to infiltrate the network infrastructure and deploy the wiper is still unknown.

HP rootkit data wipe attacks

Double iLOBleed, the rootkit has been used in attacks since 2020 for the purpose of manipulating a number of stock firmware modules in order to stealthily obstruct firmware updates. Specifically, the changes to the firmware routine simulate the process of upgrading the firmware – supposedly showing the correct firmware version and adding the relevant logs – when in reality no update is performed.

“This alone shows that the purpose of this malware is to be a rootkit with maximum stealth and to hide from all security inspections,” the researchers said. “Malware which, by hiding in one of the most powerful processing resources (which is always active), is able to execute all commands received from an attacker, without ever being detected.”

HP rootkit data wipe attacks

While the adversary remains unidentified, Amnpardaz described the rootkit as likely being the work of an Advanced Persistent Threat (APT), a designation of a nation-state or state-sponsored group that uses Continuous, clandestine and sophisticated hacking techniques to gain unauthorized access to a system and remain inside for an extended period of time without attracting attention.

Prevent data breaches

Rather, development once again puts firmware security at the forefront, requiring that manufacturer-supplied firmware updates be quickly applied to mitigate potential risks, iLO networks are segmented from operating networks and that the firmware be periodically monitored for any signs of infection. .

“Another important point is that there are methods to access and infect iLO both over the network and through the host operating system,” the researchers noted. “This means that even if the iLO network cable is completely disconnected, there is still a possibility of malware infection. Interestingly, there is no way to turn off or completely disable iLO in case it is not needed. “