Security News > 2022 > January > New iLOBleed Rootkit Targeting HP Enterprise Servers with Data Wiping Attacks
A previously unknown rootkit has been found setting its sights on Hewlett-Packard Enterprise's Integrated Lights-Out server management technology to carry out in-the-wild attacks that tamper with the firmware modules and completely wipe data off the infected systems.
The discovery, which is the first instance of real-world malware in iLO firmware, was documented by Iranian cybersecurity firm Amnpardaz this week.
Besides managing the servers, the fact that iLO modules have broad access to all the firmware, hardware, software, and operating system installed on the servers make them an ideal candidate to breach organizations using HP servers, while also enabling the malware to maintain persistence after reboots and survive OS reinstallations.
Dubbed iLOBleed, the rootkit has been put to use in attacks since 2020 with the goal of manipulating a number of original firmware modules in order to stealthily obstruct updates to the firmware.
Specifically, the modifications made to the firmware routine simulates the firmware upgrade process - by purportedly displaying the right firmware version and adding relevant logs - when in reality no updates are performed.
The development once again brings firmware security into sharp focus, necessitating that firmware updates shipped by the manufacturer are promptly applied to mitigate potential risks, iLO networks are segmented from the operating networks, and that the firmware is periodically monitored for signs of infection.
News URL
https://thehackernews.com/2021/12/new-ilobleed-rootkit-targeting-hp.html
Related news
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)