Iranian cybersecurity firm Amnpardaz documented the discovery, which is the first instance of real-world malware in iLO firmware.
A previously undiscovered rootkit has been discovered targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server management technology in order to conduct in-the-wild attacks that tamper with firmware modules and completely delete data from compromised systems.
Iranian cybersecurity firm Amnpardaz documented the discovery, which is the first instance of real-world malware in iLO firmware.
The researchers said “There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO and/or protecting it, the persistence it provides for the malware to remain even after changing the operating system, and in particular being always running and never shutting down,”
Aside from managing the servers, the fact that iLO modules have broad access to all of the firmware, hardware, software, and operating system (OS) installed on the servers makes them an ideal candidate for hacking into organisations that use HP servers, as well as allowing the malware to maintain persistence after reboots and survive OS reinstallations. The actual method used to infiltrate the network architecture and deploy the wiper, however, is yet unknown.
The researchers said “This alone shows that the purpose of this malware is to be a rootkit with maximum stealth and to hide from all security inspections,”
“A malware that, by hiding in one of the most powerful processing resources (which is always on), is able to execute any commands received from an attacker, without ever being detected.”
Although the adversary has not been identified, Amnpardaz believes the rootkit was created by an Advanced Persistent Threat (APT) group, which is a term used to describe a nation-state or state-sponsored group that uses continuous, clandestine, and sophisticated hacking techniques to gain unauthorised access to a system and remain inside for an extended period of time without drawing attention.
The development, if anything, brings firmware security into sharp focus once again, necessitating that manufacturer-supplied firmware updates be applied promptly to mitigate potential risks, iLO networks be segmented from operating networks, and firmware be monitored for signs of infection on a regular basis.
The researchers noted “Another important point is that there are methods to access and infect iLO both through the network and through the host operating system,”
“This means that even if the iLO network cable is completely disconnected, there is still the possibility of infection with the malware. Interestingly, there is no way to turn off or disable iLO completely in case it is not needed.”