A previously unknown rootkit has been discovered targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology to conduct in-the-wild attacks that tamper with firmware modules and delete data from compromised computers. This week, Iranian cybersecurity firm Amnpardaz reported on the finding, the first instance of real-world malware in iLO software.
“There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO or/and protecting it, the persistence it provides for the malware to remain even after changing the operating system, and in particular being always running and never shutting down,” the researchers said.
Aside from managing the servers, the fact that iLO modules have broad access to all of the firmware, hardware, software, and operating system (OS) installed on the servers makes them an ideal candidate for hacking into organizations that use HP servers, as well as allowing the malware to persist after reboots and survive OS reinstallations. However, the actual method used to access the network architecture and distribute the wiper is yet unknown.
The rootkit, dubbed iLOBleed, has been used in cyberattacks since 2020 to modify several original firmware modules to silently block firmware upgrades. The changes to the firmware procedure, in particular, imitate the firmware upgrade process by ostensibly showing the correct firmware version and adding necessary logs when no upgrades are executed.
According to the researchers, this alone demonstrates that the malware’s goal is to be a rootkit with maximum stealth and avoid any security examinations. A malware that can execute any orders received from an attacker without being discovered by hiding in one of the most potent processor resources (which is constantly on).
Even though the adversary has not been identified, Amnpardaz believes the rootkit was created by an advanced persistent threat (APT), which is a term used to describe a nation-state or state-sponsored group that uses continuous, clandestine, and sophisticated hacking strategies to gain unauthorized access to a system and remain inside for an extended period without drawing attention.
The development, if anything, brings firmware security into sharp focus once again, necessitating that manufacturer-supplied firmware updates be applied promptly to mitigate potential risks, iLO networks be segmented from operating networks, and firmware be monitored for signs of infection regularly.