A new iLOBleed rootkit hides inside the firmware of HP devices

February 3, 2022
iLOBleed Rootkit Firmware HP Devices Malware Data Wipe Data Breach

From the discovery of a cybersecurity group, a new rootkit is found to obfuscate itself inside the firmware of HP Integrated Lights-Out (iLO) devices that threat actors are utilising to wipe the servers of Iran-based organisations. The researchers called it the iLOBleed rootkit that targets the HP Lights Out firmware.

The iLOBleed rootkit is a hardware device that threat actors can use to attach servers or workstations as an add-on board. On the other hand, iLO devices pack their own storage space, RAM, processor unit, and network card and operate distinctly from any local OS.

The key function of iLO is to give a method for system administrators to connect to remote systems, even when these systems are not powered on, and perform maintenance operations such as firmware updates, installations of security upgrades, or reinstalling flawed systems.

These functionalities have made the Integrated Lights Out cards one of the most prominent enterprise products utilised to manage remote computer fleets and activate the deployment of Operating System images in many latest data centres.

 

Researchers first discovered the iLOBleed rootkit in one HP iLO device in 2020.

 

One of the researchers said that they investigated several incidents where an unknown threat group compromised targets using the iLOBleed rootkit that hid inside the HP iLO as a method to withstand OS reinstalls and stay persistent inside the target’s network.

The threat actors obfuscated the iLOBleed rootkit as a module for the iLO firmware to evade AV solutions. They had also developed a fake update UI to portray the system admins attempting to upgrade the iLO firmware.

However, even the iLOBleed rootkit can provide a complete take over the infected device. The threat actors appear to have exclusively utilised it to wipe infected devices as part of a pseudo-wiping operation.

The researchers then claimed they attempted to catch the attacker, but the threat actors decided to wipe their server’s disk and eradicate any tracks left behind. This newly discovered rootkit is only used for data wiping attacks in small-scale scenarios. However, experts believe that iLOBleed can be used for massive data wiping campaigns in the future.

About the author

Leave a Reply