A cybersecurity firm has spotted a first-of-its-kind rootkit that stays hidden inside the firmware of HP Integrated Lights-Out (iLO) devices. The rootkit has been used to erase servers of Iranian organizations.

iLOBleed fakes too much

A detailed report has been released that provides detailed information about the rootkit named iLOBleed. 
  • It targets HP iLO firmware that is usually added as an add-on board on servers or workstations.
  • Since 2020, multiple incidents have been investigated where an unknown attacker stayed hidden inside HP iLO to survive the OS reinstalls and persists inside the victim’s network.
  • To avoid detection, the attacker hid the rootkit as a module for the HP iLO firmware itself.
  • The rootkit could create a fake UI update process and display it as upgraded versions in the web UI of the HP iLO wherever system administrators attempted to update it.

Is just wiping data the aim?

The attackers leveraged iLOBleed to perform data wiping action more than once and performed data destruction at frequent intervals. 
  • It seems the attackers believed that even if the admin reinstalled the OS, the hard drive would be wiped again, thus, keeping the malware hidden.
  • Moreover, even if the rootkit allows full control over compromised hosts, the attackers seem to be only using it to wipe compromised systems as part of a data wiping operation.

Opinions on the initial deployment

For initial deployment, the attacker appears to have entered inside the targeted network and deployed iLOBleed as a backdoor by exploiting vulnerabilities or obtained access from a host using an HP iLO card.

Who is behind the attacks?

  • iLOBleed is a sophisticated rootkit believed to be created by a very advanced threat actor. However, the actor itself was not identified in the report nor in any online conversations.
  • The cost of carrying out such an attack suggests an APT group behind this rootkit. 
  • Additionally, using such advanced and costly malware only for data destruction is a mistake from their side, according to the report.

Ending notes

The discovery of iLOBleed is an achievement because very few security tools detect this malware. To protect iLO firmware, experts suggest regularly updating the firmware, not connecting the iLO network interface to the operating network, disabling downgrades for G10 servers, and using a standard defense mechanism.

Cyware Publisher

Publisher

Cyware