Iranian researchers at Amnpardaz security firm have discovered rootkits in HPs iLO (Integrated Lights-Out) management modules. These optional chips are added to servers for remote management and grant full high-level access to the system. This includes the ability to turn the server on and off, configure hardware and firmware settings, and additional administrator functions. The rootkit name, iLOBleed, is based on the malware module Implant.ARM.iLOBleed.a discovered in the iLO firmware. This is the first known discovery of an iLO rootkit.
The attackers discreetly prevented firmware updates by simulating a fake upgrade process on the web UI. While it would show the latest firmware version number, the attackers failed to use the latest UI image.
The attacker’s intentions were to remain hidden as they took additional measures to hide their presence. In addition to the fake UI page, they also produced output logs with false information. Upon the researchers discovering the malware, the attackers triggered a wipe of the servers. A move the researchers considered a poor decision as it made it easier to detect the malware. Regardless, they considered the amount of effort put into this rootkit as highly technical and at an innovation level on par with Advanced Persistence Threat (APT) groups, which are often tied to government security agencies. The researchers believe the main intention of the malware was to wipe server drives and hide its presence.
The reach of this malware against worldwide deployments of HP servers with iLO installed is unknown. The report’s details leave us to believe that an APT group was targeting specific victims and wouldn’t necessarily want their special malware used by others. Even so, it’s best to be proactive and secure your servers, with advice from Amnpardaz found on their report or at the end of this article. The firm is also working on a tool that can verify the integrity of the iLO firmware, so keep an eye out for that!
What iLO Versions and Servers are at Risk?
iLO4 and earlier versions used on HP ProLiant Server Generation 9 (G9) series or older servers. These are at risk of modification or infection due to not including a Secure-Boot mechanism with an embedded Trusted Root Key.
Except for…..the latest iLO version can be downgraded and therefore are vulnerable too.
And…..if the server is the latest G10 series, it must have non-default setting, otherwise it is possible to downgrade the firmware. The firmware downgrade prevention mechanism is not available for servers prior to G10.
What are the Possible iLO Vectors of Infection?
While not confirmed how the rootkits arrived, the researchers believe it can be done through two options. This would be through a network port or a connection to the server’s host operating system, as long as the attacker has access to a user with administrative or root privileges. The iLO module cannot be turned off or disabled.
Protection Considerations (provided by Amnpardaz)
- Do not connect the iLO network interface to the operating network and improvise a completely separate network
- Periodically update the iLO firmware version to the latest official release from HP
- Perform iLO security settings on HP servers, and disable downgrade for G10 servers
- Use defense-in-depth strategies to reduce risk and detect intrusions before reaching the iLO
- Periodically use the iLO Scanner tool* to detect potential vulnerabilities, malware, and backdoors in the current version of the iLO Server firmware
*Amnpardaz intends to release a scanner tool to the public but has not done so yet (as of 12/31/2021).
Matt says
Hi… can you provide a link to the “ILO Scanner” tool they talk about in the Recommendations part of the article? We have tons of HP servers out there and would like to do this.
Thanks much.
-m
Josh Stuifbergen says
Hi Matt,
To my knowledge, the iLO Scanner Tool has not yet been released by the security firm. In their report, they say, “… we’ve developed some tools to dump iLO firmware and check for infections. We intend to make these available to the general public in the near future.” That report was published 12/28/2021, so hopefully we will see the tool soon.