The iLOBleed Rootkit
Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology has been targeted with a previously unknown rootkit that aims at deleting data from infected machines and messing with firmware modules.
This is the first instance of real-world malware in iLO software, and was reported by the Iranian cybersecurity firm Amnpardaz.
According to the researchers, iLO has a number of characteristics that make it an ideal target for malware and hacking groups, including its extremely high privileges, complete concealment from administrators and security tools, low-level hardware access, its ability to run constantly and never shut down, and a few other key features that could be exploited.
For instance, iLO modules not only have access to all the firmware, software, hardware, and operating system (OS) installed on the servers, but also they can manage them. This makes these modules excellent for breaking into HP servers, as well as allowing malware to withstand reboots and OS preinstallations.
More details in the report reveal that the rootkit, which has been nicknamed iLOBleed, has been utilized in attacks since 2020, with the goal of discreetly obstructing firmware updates by changing a number of original firmware modules. The firmware routine changes, in particular, simulate the firmware update process by purportedly showing the right firmware version and adding appropriate logs even though no upgrades are actually performed. Regrettably, the exact mechanism used to get access to the network and distribute the data wiping malware is still unknown.
Based on its sophisticated and stealthy methods of operation, the researchers conclude that the purpose of this malware is to be a rootkit that runs under maximum cover, is always on and can execute any commands received from an attacker without being noticed.
According to the information that is available, the rootkit is believed to have been created by a nation-state or state-sponsored hacking group that uses advanced hacking techniques to obtain unauthorized access to a system and keep it for an extended period of time without being detected.
Another important element to be noted about iLOBleed is that the malware can reach and infect iLO through both, the network and the host operating system, which means that it can infect the computer even if the iLO network cable is completely removed. What’s even more disturbing is that there is no way to completely disable or turn off iLO if it is no longer needed.
If anything, this discovery pulls firmware security into sharp focus, emphasizing the importance of applying manufacturer-supplied firmware updates as soon as possible to reduce any dangers. It also emphasizes the importance of isolating iLO networks from operating networks and regularly monitoring firmware for symptoms of infection.