In newer servers, there is a much stronger concept of firmware security and secure boot that would likely prevent this type of attack.Īs a quick aside, if you saw our AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost and Lenovo Vendor Locking Ryzen-based Systems with AMD PSB pieces, this is one of the types of firmware attacks that that feature is designed to mitigate. If you are on ProLiant Gen10 servers, then you likely have iLO 5 but G9 and older servers can be vulnerable.
This is specifically targeted at iLO 4 and below servers even the HPE Moonshot iLO like we are showing above. The basic idea is that HP/ HPE iLO firmware can be altered and then the rootkit installed, leading to a persistent threat and attackers able to erase disks and more. The iLO rootkit is called that was disclosed at the very end of 2021 (see here for reference.) We missed picking this one up since it was on December 28. Then, let us discuss the public scope of exposure on the Internet. First, let us discuss the rootkit briefly.
Outdated HPE iLO Interfaces Exposed to the Internet and Rootkits Specifically, a research team found a rootkit that can impact older generations of hardware using iLO 4 and earlier, and another researcher found over twenty thousand of these iLO 4 controllers connected directly to the Internet. While we have been focusing a lot on NAS crypto locking with DeadBolt and a recent wave of attacks, there was another one that came out at the end of 2021 targeting older versions of HP/HPE iLO.
0 kommentar(er)
