• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

HP iLO and the Newly Discovered iLOBleed Rootkit

December 29, 2021 By Josh Stuifbergen

Iranian researchers at Amnpardaz security firm have discovered rootkits in HPs iLO (Integrated Lights-Out) management modules. These optional chips are added to servers for remote management and grant full high-level access to the system. This includes the ability to turn the server on and off, configure hardware and firmware settings, and additional administrator functions. The rootkit name, iLOBleed, is based on the malware module Implant.ARM.iLOBleed.a discovered in the iLO firmware. This is the first known discovery of an iLO rootkit.

The attackers discreetly prevented firmware updates by simulating a fake upgrade process on the web UI. While it would show the latest firmware version number, the attackers failed to use the latest UI image.

Comparison of the disguised iLO web UI provided by Amnpardaz.

The attacker’s intentions were to remain hidden as they took additional measures to hide their presence. In addition to the fake UI page, they also produced output logs with false information. Upon the researchers discovering the malware, the attackers triggered a wipe of the servers. A move the researchers considered a poor decision as it made it easier to detect the malware. Regardless, they considered the amount of effort put into this rootkit as highly technical and at an innovation level on par with Advanced Persistence Threat (APT) groups, which are often tied to government security agencies.  The researchers believe the main intention of the malware was to wipe server drives and hide its presence.

Several modules modified by the malware provided by Amnpardaz.

The reach of this malware against worldwide deployments of HP servers with iLO installed is unknown. The report’s details leave us to believe that an APT group was targeting specific victims and wouldn’t necessarily want their special malware used by others. Even so, it’s best to be proactive and secure your servers, with advice from Amnpardaz found on their report or at the end of this article. The firm is also working on a tool that can verify the integrity of the iLO firmware, so keep an eye out for that!

What iLO Versions and Servers are at Risk?

iLO4 and earlier versions used on HP ProLiant Server Generation 9 (G9) series or older servers. These are at risk of modification or infection due to not including a Secure-Boot mechanism with an embedded Trusted Root Key.

Except for…..the latest iLO version can be downgraded and therefore are vulnerable too.

And…..if the server is the latest G10 series, it must have non-default setting, otherwise it is possible to downgrade the firmware. The firmware downgrade prevention mechanism is not available for servers prior to G10.

What are the Possible iLO Vectors of Infection?

While not confirmed how the rootkits arrived, the researchers believe it can be done through two options. This would be through a network port or a connection to the server’s host operating system, as long as the attacker has access to a user with administrative or root privileges. The iLO module cannot be turned off or disabled.

Protection Considerations (provided by Amnpardaz)

  • Do not connect the iLO network interface to the operating network and improvise a completely separate network
  • Periodically update the iLO firmware version to the latest official release from HP
  • Perform iLO security settings on HP servers, and disable downgrade for G10 servers
  • Use defense-in-depth strategies to reduce risk and detect intrusions before reaching the iLO
  • Periodically use the iLO Scanner tool* to detect potential vulnerabilities, malware, and backdoors in the current version of the iLO Server firmware

*Amnpardaz intends to release a scanner tool to the public but has not done so yet (as of 12/31/2021).

Share This:

Related

Filed Under: Editorial Articles Tagged With: HP, HP iLO, iLO, iLOBleed, rootkit

Comments

  1. Matt says

    December 30, 2021 at 11:21 am

    Hi… can you provide a link to the “ILO Scanner” tool they talk about in the Recommendations part of the article? We have tons of HP servers out there and would like to do this.

    Thanks much.

    -m

    Reply
    • Josh Stuifbergen says

      December 31, 2021 at 9:49 am

      Hi Matt,

      To my knowledge, the iLO Scanner Tool has not yet been released by the security firm. In their report, they say, “… we’ve developed some tools to dump iLO firmware and check for infections. We intend to make these available to the general public in the near future.” That report was published 12/28/2021, so hopefully we will see the tool soon.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use