"Sophisticated iLOBleed Rootkit Targets HP Servers"

The Tehran-based security firm Amnpardaz discovered and analyzed malware dubbed iLOBleed. It is described as a sophisticated rootkit designed to target HP servers. Findings suggest that it has been used to target organizations in Iran, but no other information has been shared about those who have fallen victim to the malware. The rootkit's sophistication indicates that an Advanced Persistent Actor (APT) is likely behind it. According to Amnpardaz, iLOBleed is an implant that targets Hewlett Packard Enterprise's (HPE) Integrated Lights-Out (iLO) embedded server management technology. This technology allows users to monitor, configure, and update their servers remotely. HP servers' motherboard is embedded with iLO. The rootkit, which was first discovered in 2020, appears to use iLO firmware vulnerabilities found and disclosed over the past years. Although these vulnerabilities could have been fixed in more recent versions of HP firmware, it is possible for an attacker to downgrade the firmware to a more vulnerable version, which can be done on most systems. In addition, users cannot disable iLO completely. The iLOBleed rootkit can be delivered to targeted devices via the dedicated iLO network port. A user with administrator or root privileges can also deliver the rootkit through the server's operating system. When it is deployed on a device, the rootkit adds a malicious module to the iLO firmware, giving the attackers complete control over the compromised machine. Rootkits such as iLOBleed are highly persistent and stealthy. This article continues to discuss findings regarding the targets, delivery, and process of the iLOBleed rootkit.

Security Week reports "Sophisticated iLOBleed Rootkit Targets HP Servers"