New rootkit iLOBleed targets HP servers

Threat Level – Red | Vulnerability Report

For a detailed advisory, download the pdf file here.The rootkit known as iLOBleed has been active since 2020 that is targeting Hewlett-Packard (HP) enterprises’ Integrated Lights-Out (iLO) server management technology to delete data from infected machines and corrupt firmware.

The malware family is being named ARM.iLOBleed.a .

The iLO module not only has access to the firmware, software, and hardware, but it also manages them, making them an excellent module for breaking HP servers and withstanding reboots and OS pre-installations. It aims to obstruct firmware updates invisibly by modifying a few original firmware modules. The firmware routine changes apparently simulate the firmware update process by displaying the correct firmware version and adding appropriate logs, even though no upgrades are performed. However, the exact mechanism used to gain network access and distribute data wiping malware is still unknown.

An advanced persistent group (APT) sponsored by the states is said to be behind this rootkit.

This rootkit can be mitigated by applying the necessary firmware manufacturer updates. Organizations can also isolate iLO networks from operating networks and monitor their firmware on a regular basis to detect this rootkit.

The TTPs used by iLOBleed include:

T1053 – Scheduled Task/Job

T1049 – System Network Connections Discovery

T1562 – Impair Defenses

T1561 – Disk Wipe

T1082 – System Information Discovery

T1106 – Native API

T1014 – Rootkit

T1059 – Command and Scripting Interpreter

T1574 – Hijack Execution Flow

T1495 – Firmware Corruption