{"id":7442,"date":"2022-02-07T17:52:03","date_gmt":"2022-02-08T00:52:03","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7442"},"modified":"2023-04-11T10:13:52","modified_gmt":"2023-04-11T17:13:52","slug":"rootkit-attacks-start-to-a-dangerous-trend","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/rootkit-attacks-start-to-a-dangerous-trend\/","title":{"rendered":"Rootkit Attacks: Start to a Dangerous Trend?"},"content":{"rendered":"

In early January 2022, a rootkit that had remained undetected in Hewlett-Packard products was discovered by an Iranian cybersecurity firm. The rootkit, dubbed iLOBleed<\/a>, is an implant that targets HP Enterprise\u2019s Integrated Lights-Out (iLO) embedded server management technology. The iLO is embedded on the motherboard of HP servers.<\/p>\n

\n

Although it is still uncertain which threat actor is behind the iLOBleed attacks, the sophistication it involves suggests it is most possibly an advanced persistent threat (APT) actor. That said, this attack is the first known incident of an iLO rootkit.<\/p>\n<\/blockquote>\n

What is a rootkit?<\/strong><\/h2>\n

A collection of malicious computer software, designed to enable access, and thereafter mask its existence, to a computer or a part of its software that is not otherwise allowed without administrator privileges.<\/p>\n

What is the iLO firmware?<\/strong><\/h2>\n

The iLO (short for Integrated Lights-Out) is a Hewlett-Packard Enterprise hardware device that can be added to servers or workstations as an add-on.<\/p>\n

iLO devices have their own processors, storage units, RAM, as well as network cards to allow them to run separately from local operating systems.<\/p>\n

The main role of the iLO is to provide a way for system administrators to connect to remote systems even when they are turned off, to perform maintenance tasks like upgrading firmware, installing security updates, and uninstalling or reinstalling systems.<\/p>\n

iLOBleed-ing since 2020<\/strong><\/h2>\n

The first attack leveraging the iLO firmware vulnerabilities was spotted in 2020 when an unknown threat actor compromised its targets, hid inside iLO to survive reinstalls, and maintained persistence inside the victim\u2019s network. To avoid being detected, the attacker disguised the rootkit as an upgraded module for the iLO firmware itself and went to great lengths to craft a fake UI for the disguised module.<\/p>\n

\"Fake<\/p>\n

Fig 1: Comparison of the iLOBleed rootkit UI and the original iLO v2.55 UI<\/strong><\/p>\n

One interesting observation made by researchers was the extent to which the attackers went to wipe the data from the server on their way out of the network, as well as overwrite the iLO firmware to prevent updates that can remove the Trojan.<\/p>\n

\"iLOBleed<\/h2>\n

A Stealthy Module<\/strong><\/p>\n

Although the flaws may have been fixed in recent versions of HP firmware, it appears that an attacker can downgrade the firmware to an exploitable version. Since users cannot completely disable iLO, attackers have access to most versions, barring the Gen10 series servers which have a user-enabled non-default setting to prevent firmware downgrades.<\/p>\n

The iLOBleed Rootkit can be delivered to target devices through a dedicated iLO network port or through a server\u2019s operating system by a user with administrator privileges or having root access, thereby making such attacks very stealthy and highly persistent.<\/p>\n

\"Modules<\/p>\n

Fig 2: Modules affected by the malware<\/strong><\/p>\n

The Stupid-Simple Exploit<\/strong><\/h2>\n

The iLO 4 firmware vulnerability is often referred to as a \u2018stupid-simple exploit\u2019 because of how easy it is to attack it. According to researchers<\/a>, the vulnerability can be remotely exploited by simply raising a cURL request and typing twenty-nine \u201cA\u201d characters.<\/p>\n

curl -H “Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”<\/span><\/p>\n

Vulnerability Analysis<\/strong><\/h2>\n

The vulnerability that allows the iLOBleed rootkit to compromise systems is detailed below:<\/strong><\/p>\n