Report DIVD-2021–00039 - HPO-ILO

Report DIVD-2021–00039 - HPO-ILO

June 25, 2022 by Gerard Janssen

Case Lead: Victor Gevers
Researchers: Patrick Hulshof, Wouter Schoot.

On December 28, 2021, Researchers of the Iranian company Amnpardaz Soft found a rootkit that targets a remote-management component in Hewlett Packard Enterprise servers. AmnPardaz is the developer of Iranian antivirus software Padvish. The malware (Implant.Arm.ilobleed) targets the rootkits at the firmware level of the HPE technology called Integrated Lights Out (iLO). This iLO system runs on its own hardware and can be accessed over a web interface, even when the rest of the server is powered down. This is useful for users who remotely manage data centers, but also is a security risk. The extremely high privileges, low-level access to hardware, out of sight of admins and security tools, and the persistence even after changing the operating system, make it an ideal target for attackers. Since 2020 the rootkit – called iLOBleed – is used to manipulate the original firmware module. It prevented firmware updates by simulating a fake upgrade process on the web UI. (The attackers failed to use the latest UI image.)

On January 1st the DIVD found 8315 active IP addresses of vulnerable iLO-systems. They notified the system owners. A rescan on February 15, showed there were 281 vulnerable IP-addresses.

Timeline

Date Description
28-12-2021 AmnPardaz reported about the vulnerability.
31-12-2021 DIVD starts OSINT research.
01-01-2022 DIVD starts scanning the internet for open iLO instances.
02-01-2022 DIVD starts with identifying owners.
07-01-2022 DIVD sent out a first batch of notifications.
15-02-2022 DIVD does a rescan and sends out second batch of notifications