Threat actors target HPE iLO hardware with rootkit attack

Experts have uncovered a new rootkit malware package that targets a low-level remote management component in Hewlett Packard Enterprise servers.

Researchers with cybersecurity vendor Amnpardaz Soft say that the malware, dubbed Implant.Arm.ilobleed, specifically targets the firmware level of HPE technology known as iLO, or Integrated Lights Out.

The iLO system, which runs on its own hardware module and ARM processor, is a key management component that uses its custom hardware and operating system to function as a sort of always-on management connection that can be accessed over a web interface. The iLO system can be accessed even when the rest of the server is powered down, so long as it remains plugged in.

While this is useful for remotely managing data centers or troubleshooting problems at all hours, the Amnpardaz Soft team found that iLO also poses a potential security risk as it boasts nearly full access to the server and data with little oversight by other components.

This means that an intruder who gains access to the management console through, for example, administrator credentials would be able to overwrite the iLO firmware and effectively gain rootkit control at a level that could not be detected by security tools at the main OS level. This could allow them to operate undetected up to the point that the iLO firmware was flashed again. Even then, the researchers say, some iLO versions also allow the firmware to be retroactively downgraded.

In this case, Amnpardaz said that the attackers were able to access the victim's server through unknown means -- the data was wiped by the intruders to cover their tracks -- and then not only overwrite the iLO firmware, but actually prevent updates that would remove their Trojan.

HPE told SearchSecurity that the attacks appear to have exploited known vulnerabilities.

"This is an exploit of vulnerabilities that HPE disclosed and patched in 2018," a spokesperson said. "We recommend that all users implement the remedial steps we published at the time if they have not done so already."

Among the techniques employed by the malware package were fake install screens that would claim to be installing firmware updates in the foreground while actually preventing the install in the background. The hackers even went so far as update the version number on their poisoned firmware to match that of the legitimate iLO version.

In fact, the researchers said, possibly the only way for an admin to spot anything amiss would have been through a keen eye on the web management console itself, which used an old or incorrect interface in comparison to legitimate iLO firmware.

One thing that struck the Amnpardaz researchers as curious was why someone would go to such great extent to develop such a targeted and sophisticated attack, only to turn around and wipe data from the server on their way out of the network.

"This alone shows that the purpose of this malware is to be a rootkit with maximum stealth and to hide from all security inspections. A malware that, by hiding in one of the most powerful processing resources (which is always on), is able to execute any commands received from an attacker, without ever being detected," the team explained in its report.

"Naturally, the cost of performing such an attack puts it in the category of APTs. But using such powerful and costly malware for something like data destruction, a task that increases the likelihood of malware being detected, seems to be a blatant mistake on the part of these crooks."

The researchers issued a handful of recommendations for administrators, including isolating the iLO network connection from the rest of the network; maintaining regular firmware updates and iLO security scans; and disabling the ability to manually downgrade the firmware to older versions.

"These issues indicate the need for preventive security measures to improve the security of the firmware, such as updating to the latest version provided by the manufacturer, changing admin passwords and isolating the iLO network from the operating network, and finally periodically monitoring the firmware's status in terms of security parameters and potential infection," the team advised.