Rootkit in HPE server management module can wipe hard drives: Report

Administrators with HPE servers in their environments are being warned that a rootkit is circulating that takes advantage of a vulnerability in the Integrated Lights Out (iLO) management utility to wipe hard drives.

It can’t be removed by firmware upgrades and can be hidden for a long time, says a report by an Iranian-based application vendor called Amnpardaz Soft Co.

Dubbed iLOBleed, the malware has been used by hackers “for some time,” says the report. The rootkit adds a malicious module researchers call Implant.ARM.iLOBleed.a to the iLO firmware and modifies a number of original firmware modules. The rootkit silently prevents firmware updates while pretending to complete them. It also provides access to the server hardware, which can allow an attacker to completely wipe server disks.

iLO enables admins to remotely configure, monitor, and update many ProLiant servers seamlessly, from anywhere in the world. Upgraded licences add a graphical remote console, multi-user collaboration, video record/playback, remote management and more.

The researchers’ report notes iLO has full access to all the firmware, hardware, software, and operating systems installed on the server. As a result, they say iLO is an “ideal utopia for malware and APT groups” because of the high privileges an approved user can get, and “the general lack of knowledge and tools for inspecting iLO and/or protecting it.” In addition, iLO is always running.

Accessing and infecting iLO is not only possible through the iLO network port, but also through system administrator or root access to the main operating system, the report says. This means that if an intruder has access to a user ID with administrator/root privileges for the main operating system installed on the server, it can – without needing any further authentication – directly communicate with the iLO, and infect it if it is vulnerable.

The report says the biggest risk is to iLO4 and its earlier versions used on HP G9 and below servers. That’s because there is no Secure-Boot mechanism with an embedded Trusted Root Key in the hardware, so the firmware of these versions is more likely to be modified and infected by malware.

However, researchers add, even if iLO has been updated to the latest version that does not have any known vulnerabilities, it could still be downgraded to a lower version, which makes infecting fully-patched firmware possible. This can be prevented in G10 series servers if a non-default setting is enabled. On earlier servers, it is not possible to prevent the downgrade mechanism.

Totally disconnecting the iLO network cable or upgrading firmware to the latest version isn’t enough to prevent malware infection, the report adds.

On the bright side, there is a relatively simple way of detecting a compromise: When the malware silently blocks a legitimate iLO firmware upgrade process, it displays a fake “upgraded” version in the web UI. However, HPE has changed the UI of the iLO considerably, as seen below.

However, the threat actors behind this malware will likely catch on fast and change the graphic.

Unlike other “wiper” malware, says the report, this is not a one-time hit-and-run disposable attack. It is designed to stay under the radar for extended periods by preventing an iLO firmware upgrade; even the exact version number of the current firmware is extracted and displayed in appropriate places in the web console and other locations.

“This alone shows that the purpose of this malware is to be a rootkit with maximum stealth and to hide from all security inspections,” says the report. “A malware that, by hiding in one of the most powerful processing resources (which is always on), is able to execute any commands received from an attacker, without ever being detected.”

For defence the researchers recommend IT teams

  • not connect the iLO network interface to the operating network and improvise a completely separate network;
  • periodically update the iLO firmware version to the latest official release from HPE;
  • configure iLO security settings on HP/HPE servers, and disable downgrade for G10 servers;
  • use defense-in-depth strategies to reduce risk and detect intrusions before reaching the iLO;
  • and periodically use the iLO Scanner tool to detect potential vulnerabilities, malware, and backdoors in the current version of the iLO Server firmware.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.