What are the Possible iLO Vectors of Infection? The firmware downgrade prevention mechanism is not available for servers prior to G10. These are at risk of modification or infection due to not including a Secure-Boot mechanism with an embedded Trusted Root Key.Įxcept for….the latest iLO version can be downgraded and therefore are vulnerable too.Īnd….if the server is the latest G10 series, it must have non-default setting, otherwise it is possible to downgrade the firmware. ILO4 and earlier versions used on HP ProLiant Server Generation 9 (G9) series or older servers. The firm is also working on a tool that can verify the integrity of the iLO firmware, so keep an eye out for that! What iLO Versions and Servers are at Risk? Even so, it’s best to be proactive and secure your servers, with advice from Amnpardaz found on their report or at the end of this article. The report’s details leave us to believe that an APT group was targeting specific victims and wouldn’t necessarily want their special malware used by others. The reach of this malware against worldwide deployments of HP servers with iLO installed is unknown. Several modules modified by the malware provided by Amnpardaz. The researchers believe the main intention of the malware was to wipe server drives and hide its presence. Regardless, they considered the amount of effort put into this rootkit as highly technical and at an innovation level on par with Advanced Persistence Threat (APT) groups, which are often tied to government security agencies. A move the researchers considered a poor decision as it made it easier to detect the malware. Upon the researchers discovering the malware, the attackers triggered a wipe of the servers. In addition to the fake UI page, they also produced output logs with false information. The attacker’s intentions were to remain hidden as they took additional measures to hide their presence.
Comparison of the disguised iLO web UI provided by Amnpardaz. While it would show the latest firmware version number, the attackers failed to use the latest UI image. The attackers discreetly prevented firmware updates by simulating a fake upgrade process on the web UI. This is the first known discovery of an iLO rootkit. The rootkit name, iLOBleed, is based on the malware module discovered in the iLO firmware. This includes the ability to turn the server on and off, configure hardware and firmware settings, and additional administrator functions. These optional chips are added to servers for remote management and grant full high-level access to the system. Iranian researchers at Amnpardaz security firm have discovered rootkits in HPs iLO (Integrated Lights-Out) management modules.
0 kommentar(er)
