Report DIVD-2021-00039 - HPO-ILO
Written on 25 Jun 2022 by Gerard Janssen
Case lead:
Victor Gevers
Researchers:
Patrick Hulshof
,
Wouter Schoot
Case file: DIVD-2021-00039
On December 28, 2021, Researchers of the Iranian company Amnpardaz Soft found a rootkit that targets a remote-management component in Hewlett Packard Enterprise servers. AmnPardaz is the developer of Iranian antivirus software Padvish. The malware (Implant.Arm.ilobleed) targets the rootkits at the firmware level of the HPE technology called Integrated Lights Out (iLO). This iLO system runs on its own hardware and can be accessed over a web interface, even when the rest of the server is powered down. This is useful for users who remotely manage data centers, but also is a security risk. The extremely high privileges, low-level access to hardware, out of sight of admins and security tools, and the persistence even after changing the operating system, make it an ideal target for attackers. Since 2020 the rootkit – called iLOBleed – is used to manipulate the original firmware module. It prevented firmware updates by simulating a fake upgrade process on the web UI. (The attackers failed to use the latest UI image.)
On January 1st the DIVD found 8315 active IP addresses of vulnerable iLO-systems. They notified the system owners. A rescan on February 15, showed there were 281 vulnerable IP-addresses.
Timeline
| Date | Description |
|---|---|
| 28-12-2021 | AmnPardaz reported about the vulnerability. |
| 31-12-2021 | DIVD starts OSINT research. |
| 01-01-2022 | DIVD starts scanning the internet for open iLO instances. |
| 02-01-2022 | DIVD starts with identifying owners. |
| 07-01-2022 | DIVD sent out a first batch of notifications. |
| 15-02-2022 | DIVD does a rescan and sends out second batch of notifications |