An unknown rootkit has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology. The hackers have used the iLO to rig the firmware modules and obliterate data from the infected systems.
Amnpardaz, an Iranian cybersecurity firm, uncovered the vulnerability, first of its kind, in ILO firmware.
“There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO and/or protecting it, the persistence it provides for the malware to remain even after changing the operating system, and in particular being always running and never shutting down,” the researchers said.
The iLO modules are a crucial part of the system and have access to all the firmware, hardware, software, and operating system (OS) installed on the servers, which makes it a suitable target. Further, the malware can survive reboots and OS reinstallations—persistence. But researchers haven’t figured the exact method used to plant the wiper.
The rootkit, dubbed iLOBleed, has been used since 2020 for altering many original firmware modules so that the updates to the firmware can be stealthily obstructed. The changes to the firmware routine replicate the firmware update progress. It does that by exhibiting the right firmware version and adding relevant logs, but in reality, no updates are taking place.
“This alone shows that the purpose of this malware is to be a rootkit with maximum stealth and to hide from all security inspections,” the researchers said. “A malware that, by hiding in one of the most powerful processing resources (which is always on), is able to execute any commands received from an attacker, without ever being detected.”
The attackers remain unknown although Amnpardaz states that the rootkit was deployed by an advanced persistent threat (APT). The APT is used for a group that is backed by a nation and employs persistent, secret, and advanced hacking techniques to hack the system.
“Another important point is that there are methods to access and infect iLO both through the network and through the host operating system,” the researchers noted. “This means that even if the iLO network cable is completely disconnected, there is still the possibility of infection with the malware. Interestingly, there is no way to turn off or disable iLO completely in case it is not needed.”