HPE iLO4 Ransomware Attacks

A new ransomware tool has been observed targeting HPE iLO4 Integrated Lights-Out (iLO) embedded server administration software.

iLO is a remote management processor, integrated into certain HPE servers, that administrators connect to through a website or mobile application. It can be used to retrieve server logs and information, reboot servers or gain access to the installed shell.

The attackers behind the campaign are actively searching for servers with publicly reachable iLO ports. They will then attempt to gain access using either brute-force attacks or default credentials. Once they have access to the server they install an ISO file using the virtual media manager before rebooting the device. An application on the ISO file then encrypts all available files and enables the Login Security Banner feature to display the ransom note.

Security researcher M. Shahpasandi posted a screenshot of an HPE iLO 4 login screen that contained a “Security Notice” stating that the computer’s hard drives were encrypted and that the owners would have to pay a ransom to get the data back.

If you are currently using HPE iLO4 in your HP Servers and are running an older version, make sure to upgrade to the latest firmware. Then check the administrative accounts to determine if any were created without your knowledge. Make sure that your iLO IP address is not accessible via the Internet and only through a VPN.

It is speculated that the attackers used to gain access by either executing the CVE-2013-4786 vulnerability, which allows an offline brute force attack for a password hash of a valid iLO user or via the CVE-2017-12542 vulnerability, which allows an authentication bypass, solved by updating to iLO version 2.53.

You can see if your devices are internet facing here: https://www.shodan.io/search?query=HP-iLO-4

Affected Platforms
• HPE Servers Running iLO4